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Koji Chida, Nicolas T. Courtois, Yang Cui, Jean-Frangois Dhem, Louis Goubin, 
Louis Granboulan, Rob Granger, Jens Groth, Yumiko Hanaoka, Darrel Hanker- 
son, Chao-Chih Hsu, Tetsutaro Kobayashi, Yuichi Komano, Hidenori Kuwakado, 
Tanja Lange, Peter Leadbitter, Byoungcheon Lee, Chun-Ko Lee, Henry C.J. Lee, 
John Malone Lee, Yong Li, Benoit Libert, Hsi-Chung Lin, Yi Lu, Jean Monnerat, 
Anderson C.A. Nascimento, C. Andrew Neff, Akira Otsuka, Daniel Page, Kenny 
Paterson, Kun Peng, David Pointcheval, Taiichi Saitoh, Junji Shikata, Igor Sh- 
parlinksi, Martijn Stam, Ron Steinfeld, Koutarou Suzuki, Shigenori Uchiyama, 
Frederik Vercauteren, Guilin Wang, Benne de Weger, Guohua Xiong, Go Ya- 
mamoto, Shoko Yonezawa, Rui Zhang, and Huafei Zhu. (I apologize for any 
possible omission.) The Program Committee appreciates their efforts. 

Thanks to Patricia Loh for the secretarial work and to Ying Qiu for main- 
taining the WWW page of the conference. Finally, I would like to thank everyone 
who submitted to PKC 2004, and lACR for its sponsorship. 
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A Generalized Wiener Attack on RSA 



Johannes Blomer and Alexander May 
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{bloemer , alexx}@uni-paderborn . de 



Abstract. We present an extension of Wiener’s attack on small RSA 
secret decryption exponents [10]. Wiener showed that every RSA public 
key tuple {N, e) with e € that satisfies ed — 1 = 0 mod for 

some d < yields the factorization of A = pq. Our new method 

finds p and q in polynomial time for every {N, e) satisfying ex + y = 
0 mod with 

1 1 _ 3 

X < -N * and \y\—0{N ^ex). 

In other words, the generalization works for all secret keys d = —xy~^, 
where x, y are suitably small. We show that the number of these weak 
keys is at least and that the number increases with decreasing 

prime difference p — q. As an application of our new attack, we present 
the cryptanalysis of an RSA-type scheme presented by Yen, Kim, Lim 
and Moon [11,12]. Our results point out again the warning for crypto- 
designers to be careful when using the RSA key generation process with 
special parameters. 

Keywords: RSA, weak keys, Wiener attack, continued fractions 



1 Introduction 

Let N = pq he an RSA-modulus, where p and q are primes of equal bit-size (wlog 
p > q). Let e be the public exponent and d be the secret exponent satisfying 
ed= I mod (p{N), where </i(iV) is the Euler totient function. We denote by 
the multiplicative group of invertible integers modulo 4>{N). An RSA public key 
is a tuple (iV, e) G Z x 

In order to study the security of RSA, many people focus on the difficulty 
to factor the modulus N without taking into account additional information 
that may be encoded in the public exponent e. Hence, it is tempting for crypto- 
designers to construct RSA-type schemes with special public exponents that 
yield a good performance in encryption/decryption. For example, one might be 
tempted to use small decryption exponents d in order to speed up the decryp- 
tion process. Another fast RSA-variant that makes use of special RSA-keys was 
proposed by Yen, Kim, Lim and Moon [11,12] in 2001. This YKLM-scheme is 
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designed to counteract the fault-based attack on CRT-RSA of Boneh, DeMillo 
and Lipton [2]. 

In 1990, Wiener [10] observed that information encoded in the public ex- 
ponent e might help to factor N. More precisely, he showed that every public 
exponent e G corresponds to a secret exponent d with d < yields 

the factorization of the modulus in time polynomial in log(A^). In 1999, Boneh 
and Durfee [3] used Coppersmith’s method for finding small roots of modular 
polynomial equations [4] to improve the bound to c? < 

Although the YKLM-scheme uses a special key generation algorithm in order 
to provide good performance, the secret keys d are not chosen to be small. 
Therefore, the Wiener attack as well as the Boneh-Durfee attack cannot directly 
be applied to this RSA-variant. However, in this work we present an extension 
of Wiener’s approach that leeds to a much larger class of secret keys d which are 
insecure. Furthermore, we show that the keys which are generated in the YKLM- 
scheme belong to this larger class, for all reasonable parameter choices of the 
scheme. As a result, we obtain that the public keys {N, e) in the YKLM-scheme 
yield the factorization of N in polynomial time. 

Let us put the cryptanalytic approaches above into a more general framework 
by defining the notion of weak keys : The results so far show that there are classes 
of public keys {N, e) where every element in the class yields the factorization of 
N. One may view the auxiliary input e as a hint how to factor N: Without 
having e we assume that factoring N is hard, but with the help of e it becomes 
feasible. In the case of the Wiener attack the class consists of all public key 
tuples {N, e) where ed — 1 = 0 mod 4'{N) with d < . 

We call such a class weak and the elements {N, e) of the weak class are called 
weak keys. To be more precisely: We define the size of a class of public key tuples 
by the number of elements {N, e) in the class for every fixed N. Let C be a class 
of public key tuples {N, e), then 

sizec(iV) = |{e G | (A^, e) G C}|. 



C is called weak if 

1. The size of C is polynomial in N, i.e. sizec(A^) = l7(iV'>') for some 7 > 0. 

2. There exists a probabilistic algorithm A that on every input {N, e) G C 
outputs the factorization of N in time polynomial in log(A^). 

Note that the size of a weak class is a function in N which denotes the number of 
elements that can be factored by the corresponding algorithm A. For example, 
the size of the class in the Wiener attack is at least Here the e-term 

comes from the fact that only those d with gcd(d, </>(A^)) = 1 define legitimate 
RSA-keys. 

Let us give another (trivial) example of a weak class of public keys. Every 
tuple {N, e) with e = kq, 1 < k < p is a, weak key, since the computation 
gcd(iV, e) = q yields the factorization. These are p > N 2 many weak keys. 
Howgrave-Graham [6] observed that even the knowledge of e = kq + r for some 
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and may be tempting to use in the design of cryto-systems with good encryp- 
tion/decryption performance. 

As an example, we show that the public keys {N, e) constructed in the 
YKLM-scheme can be attacked by our generalization of Wiener’s method. Name- 
ly, we can express the secret exponent d in terms of small x and y, which breaks 
the crypto-system for all reasonable parameter choices. 

In 2002, de Weger [9] observed that Wiener’s attack can be improved when 
the prime difference p — q is significantly less than ^/N. de Weger’s method also 
applies to our extension of Wiener’s attack. Interestingly, we are able to show 
that for prime difference p — q = 0 < 7 < | there are at least 

weak RSA-keys (N,e). 

It is important to notice that for prime difference p— q = 0{N 4 ) an algorithm 
of Fermat finds the factorization in polynomial time. Thus, our attack has a 
nice interpolation property towards Fermat’s algorithm: As p — q decreases, the 
number of weak public keys increases. For 7 approaching zero almost all keys 
are weak, corresponding to the fact that N can be easily factored without any 
hint that is encoded in e. 

As a by-product, we get a simple probabilistic factorization algorithm with 
expected running time comparable to Fermat-Factorization: For a fixed 

N , choose random e < N and apply our algorithm to each choice (N, e) until 
{N, e) is a weak key that yields the factorization. 

Notice that the interpolation property above seems to imply that one cannot 
improve our approach significantly. On the other hand, there might be different 
techniques - for example lattice reduction techniques for higher dimensional 
lattices - that lead to larger classes of weak keys for the prime difference p — q = 
Q{\/N). But at the moment this is an open question. 

The paper is organized as follows: In Section 2, we present our extension of 
Wiener’s attack. As an application of this method, we present the crytanalysis 
of the YKLM-scheme in Section 3. In Section 4, we apply the methods of de 
Weger to our generalized Wiener attack. We conclude the paper by showing in 
Section 5 that the number of weak RSA-keys {N, e) in our approach is 

2 The Generalized Wiener Attack 

Throughout this work we consider RSA-moduli N = pq, where p and q are of 
the same bit-size (wlog p > q). This implies the inequalities 

p—q<N^ and 2Ni<p + q<5Ni. 

Furthermore, we have = N + 1 — {p+ q) > 

Our attack makes use of a well-known result due to Coppersmith [4]: 

Theorem 1 (Coppersmith) Let N = pq be an RSA-modulus, where p and 
q are of the same bit-size. Suppose we are given an approximation of p with 
additive error at most . Then N can be factored in time polynomial in log A. 
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unknown r < suffices to find the factorization of N. This implies the exis- 
tence of a weak class with size N i . 

We think that it is a very natural question to study how many of the possible 
choices of the public keys are indeed weak keys that should not be used in the 
design of crypto-systems. For the Wiener attack and the Boneh-Durfee attack 
it is easy for a crypto-designer to see that a key is weak by inspecting the most 
significant bits of d. For the extension of Wiener’s attack that we describe in 
this paper the weakness of the keys is not obvious. One can understand our new 
result as a warning for crypto-designers to be careful when using keys with a 
special structure. 

There is also an imminent danger from weak keys in the case of untrusted 
servers that create public/secret key pairs: Crepeau and Slakmon [5] showed 
how to use weak keys in order to construct malicious RSA systems by encoding 
information into the public exponent e. Our new class of weak keys is well-suited 
for the use in such systems and leads to a large variety of new malicious keys. 

In order to describe our new attack, let us first consider the normal RSA- 
case, where p — q = f7(VfV). Note that for randomly chosen primes of the same 
bitsize, the probability that p, q agree in the c most significant bits is roughly 
Hence, we have p — q = with overwhelming probability. 

For the case p — q= we introduce a variant of Wiener’s attack that 

works for all public keys (N, e) where ex + y = k<f){N), fc G N with 

1 1 3 

Q < X < -N and \y\ = 0{N ^ex). 
o 

Notice that our bounds exclude trivial solutions where ex + y = 0, since \y\ < ex. 

The new method works as follows: As in Wiener’s approach, we use the 
continued fraction algorithm to recover the unknown values x and k. Afterwards, 
we show that a factorization method due to Coppersmith [4] can be applied: 
Given half of the most significant bits of p, one can find the factorization of N. 

Let us compare the new result to Wiener’s attack. Our weak keys have the 
structure that e~^ = d = —^ mod 4>{N), i.e. Wiener’s algorithm is the special 

case where x = d and y = —1. One should observe that for x of size roughly N'^ 
as in Wiener’s attack, the parameter e must be of size at least N* in order to 
satisfy a relation of the form ex + y = 0 mod 4>{N). Thus, |p| can be chosen of 
size at least x. If e is roughly iV, which is normally the case for small d, |p| can 
even be chosen of size N^x in the attack. 

One should expect that for fixed N the number of public keys {N, e) for 
which our approach applies is roughly the number of tuples (x, y) within the 
given bounds. This number can be upper bounded hyx-N^x<N^.ln fact, we 
are able to show that the number of weak keys {N, e) for which our algorithm 
works is also lower bounded by 

It is important to notice that in contrast to the approaches of Wiener and 
Boneh-Durfee, the secret keys in our attack are not small itself but have a “small 
decomposition” in x and y. So they might look innocuous to crypto-designers 
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We are now able to state our main theorem. Here we consider the normal RSA- 
case where p — q = f2{VN). 



Theorem 2 Let c < 1 and let {N, e) be an RSA public key tuple with N = pq 
and p — q > cN^ . Suppose that e G ^^(n) satisfies an equation ex + y = k(j){N) 
with 



1 

0 < X < -N 
- 3 



1 

4 



and 



\y\ < cN 



3 

ex. 



Then N can be factored in polynomial time. 



One should notice that the conditions of Theorem 2 imply that ex + y 0, 
thereby excluding trivial congruences: Since c < 1, we see that |y| < ex. This in 
turn implies fc > 0. 



Roadmap for the proof of Theorem 2 

— We show that the unknown parameters x, k can be found among the con- 
vergents of the continued fraction expansion of . 

— From X and k, we compute an approximation of p + q. 

— From an approximation of p + q, we compute an approximation of p — q. 

— Combining both approximations gives us an approximation of p, which leads 
to the factorization of N by using Coppersmith’s Theorem. 

We want to argue that in the following proof we can assume wlog that 
N > (|)^. This condition is equivalent to c > 8N~^. If this inequality does 
not hold then p — q = 0{Ni) and Fermat’s factorization algorithm yields the 
factorization of N in polynomial time. 



Proof: Let us start with the RSA key equation 

ex + y = k{N — p — q + 1). (1) 

Dividing by Nx gives us 

e k _ k{p + q — 1) + y 
N x Nx 

We want to argue that we can assume wlog that gcd(fc, x) = 1. Notice that every 
integer that divides both k and x must also divide y by equation (1). Thus, we can 
divide equation (1) by gcd(/c, x) which gives us an equation ex'+y' = 0 mod (j){N) 
with even smaller parameters x' and y' . Hence we can assume that y is a fraction 
in its lowest terms. 

By a well-known theorem (see e.g. Theorem 184 in [7]), the fraction ^ appears 
among the convergents of if the condition !;§■ — y| < ^ is satisfied. Thus it 
remains to show that \k{p + q — f) + y\ < Let us first find a bound for the 
parameter k. We know that k = and |j/| < cN~iex. Since our precondition 
N > implies N > 2^^, we conclude that \y\ < \ex. Therefore, we obtain 

3 ex 5 ex 

4fi{N) - - 4 fi{N) ■ 



(2) 
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Now we are able to estimate 



k{p + q-l)+y< 



15 ex -^1 15 , ,1 

— — 7 ^ • iV 2 + cN ^ex < —xN 2 + xN * < 4xN 2 
4 4>{N) “4 “ 



where the last inequality holds for N > 2^^. 

Therefore, we have to satisfy the condition AxN^ < ^ which is equivalent 
to X < This condition holds by our upper bound x < . 

Hence, the fraction ^ must be among the convergents of the continued frac- 
tion expansion of -jj. Since there are only O (log TV) many convergents, we can 
apply the following process to each candidate for k and x until our algorithm 
succeeds. 

We have to show that the correct k and x yield the factorization of N. Let 
us write equation (1) as 



iV+l-f =P + ,+ f. 

Since every parameter on the left hand side is now known to us, we can compute 
an approximation of p+ q up to some unknown error term | , that can be bounded 
by ||| < ^cNi using inequality (2). 

Our goal is to find an approximation of p up to some error of size in order 
to apply Coppersmith’s theorem. Therefore, we transform our approximation of 
p + q into an approximation of p — q using the relation 

P-q= \/iP- 9 )^ = \/(p + (?)2 -4W 



Let s be our approximation of p -I- g with additive error at most . We will 

show that t = — 4A^ is an approximation of p — q with an additive error that 

can be bounded by 9N* . Thus, the term ^(s -I- t) is an approximation of p with 
error at most 



^{s + t) -p 

< \ \s-{p + q)\ + ^\t-{p-q)\ 

2 1 9 1 1 

< —cN'^ -\ — N* < 6N'^ 

- 3 2 - 



= -^{s-p-q + t-p+ql 



Define p = ^(s -I- t). Then one out of the six values p + {2k + l)Ni, k = 
—3,— 2,— 1,0, 1,2 is an approximation of p up to an error of at most Ns in 
absolute value. We can apply Coppersmith’s algorithm to all these values. The 
correct term will then lead to the factorization of N in polynomial time. 

It remains to show that t = vs^~4~/V is indeed an approximation of p — q 
up to some error term that can be bounded by 9N* . Let us first show that t is 
well-defined, i.e. — 4iV > 0. Observe that s = p -I- g -I- | satisfies 



s2_4iv= (p-g)2 + 2|(p-kg)-f (I) . 
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Therefore, it suffices to show that |2|(p + q)| < {p — qY- Using ||| < 
we obtain |2|(p+ q)\ < ScNY From our precondition N > (|)^, we see that 
8 < cNi . This immediately implies ScN^ < c^N < {p — qY as desired. 

Since N > 2^^, we know that the error term | for p + q can be bounded in 
absolute value by < \{p+ q). This implies the inequality 

s<^{p + q). (3) 

We observe that 



t — {p — q) = Y — 4:N — {p — q) 



{s - {p + q)){s + {p + q)) 

— 4A^ + {p — q) 



Using the inequalities (3), s — {p+ q) < |cA ^4 and p — q> cN^ finally leads us 
to the desired bound 



t-{p-q)< 



|cA^4 . 

(p-q) 



< 9iVU 



Let us briefly summarize the whole factorization algorithm. 



Algorithm Generalized Wiener Attack 

INPUT: {N, e), where N = pq and ex + y = 0 mod 4>{N) for some 
unknown 0 < a; < iAi and |t/| < cN~iex. 



1. Compute the continued fraction expansion of 

2. For every convergent ^ of the expansion: 

(a) Compute s = N + 1 — t = Y — 4A and p = 5(5 + t). 

(b) Apply Coppersmith’s algorithm to the candidates p + {2k + 1) A« 
for k = —3, —2, . . . , 2: If Coppersmith’s algorithm outputs the fac- 
torization of N, then stop. 



OUTPUT: p, q 



Since every step in Algorithm Generalized Wiener- Attack can be done in polyno- 
mial time and the number of convergents is bounded by 0(log N), this concludes 
the proof of Theorem 2. 0 



3 Cryptanalysis of the YKLM-scheme 

In 2001, Yen, Kim, Lim and Moon [11,12] presented an RSA-type scheme that 
was designed to counteract the Bellcore-attack (see [2]). Unfortunately, they 
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need a specialized RSA key generation process in order to make their scheme 
efficient. Their public key e satisfies a relation with some small parameters that 
will be described in this section. The efficiency of the YKLM-scheme relies on 
the fact that these parameters are indeed much smaller than the modulus N. It 
was raised as an open question by the authors if one can use random public keys 
e as well in their scheme, thereby maintaining the same performance. 

We show that the public keys constructed in the YKLM-scheme satisfy the 
conditions of Theorem 2, i.e. for every public exponent e we have ex + y = 
0 mod 4>{N) with small x and y. 

Let us first reconsider the modified key generation algorithm in the YKLM- 
scheme. 



RSA Key Generation in the YKLM-scheme 

Modulus : Choose randomly two primes p and q of the same bit-size and com- 
pute the product N = pq. 

Small parameters : Fix a bound B, where B N. Choose randomly and 
r in {1, . . . , B} such that gcd{er, (j){N)) = 1. Compute dr = e~^ mod (j){N). 
Secret exponent : Compute d = dr + r. If gcd(d, </>(fV)) yf 1, choose different 
parameters and r. 

Public exponent : Compute e = d~^ mod 4>{N). 

Public parameters : Publish the tuple (N,e). 

The authors pointed out that instead of the public key tuple {N, e) one could 
even publish the parameters and r as well, but the following observation shows 
that the parameters and r immediately yield the factorization of N. 
Consider the public key equation 

ed — 1 = 0 mod (p{N) 

The secret key d has a decomposition into the unknown part dr and the known 
parameter r 

e{dr -I- r) — 1 = 0 mod 

Multiplication with removes the unknown parameter dr 
e(l -I- e^r) — = 0 mod (j){N). 

Since every parameter on the left hand side is known, we can compute a multiple 
k(f>{N) of the Euler function 

e(l -I- e^r) — = k(j){N) for some k gN. (4) 

Since e < 4>{N), we have that fc < (1 -I- e^r). Therefore, the bit-length of k is 
polynomial in the bit-length of N. It is a well-known result that such a multiple 
k(f){N) yields the factorization of N in probabilistic polynomial time in the bit- 
length of N (see for example [8]). 

Certainly, there is no need to publish the small parameters and r in the 
YKLM-scheme. On the other hand, we see that by equation (4) one can apply 
Theorem 2 by setting x = 1 -I- e^r and y = — e^. This gives us the following 
corollary from Theorem 2. 
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Corollary 3 Let c < 1 and let {N, e) he a public key tuple constructed by the 
key generation process in the YKLM-scheme withp — q > cN^ . Furthermore, let 
Cr and r satisfy the conditions 



1 + CrU < —N* 
o 



and 






Then N can he factored in time polynomial in log(A^). 



Proof: In order to be able to apply Theorem 2, it remains to show that < 

cN~ie{l + Crr). Using equation (4), we conclude that 

cN~^e{l + Cru) > cN~^ (f>{N) > —cN^, 

which proves the claim. 0 



Since the efficiency of the YKLM-scheme relies on the fact that and r 
are very small compared to N, Corollary 3 breaks the YKLM-scheme for all 
reasonable parameter choices. 



4 Generalizing to Arbitrary Prime Differences p — q 



de Weger [10] observed that Wiener’s attack can be improved when p—q is signif- 
icantly smaller than y/N. He showed that N' = N — [2y/N\ is an approximation 
of (j){N) with error at most ■ Thus, using the continued fraction expansion 

instead of leads to an improvement in Wiener’s algorithm. Namely, de 
Weger proved that for prime differences p — q oi size 0<7<|; one can 

achieve a bound of d < Ni~~^ in Wiener’s algorithm. 

The same trick applies to our generalized version of Wiener’s attack (Sec- 
tion 2) as well. This gives us the following more general result. 



Theorem 4 Given an RSA public key tuple {N, e), where N = pq. Suppose that 
e satisfies an equation ex + y = Q mod (f{^) with 



0<x<- 



1 l(j){N) Ni 



e p-q 



and |j/| < 



p- q 
(j>{N)Ni 



Then N can be factored in time polynomial in logN. 



Proof. The proof is similar to the proof of Theorem 2. One mainly substitutes 
N hy N' = N — [2y/N\ and works through the arithmetic. Therefore we omit 
the proof. 

Instead we give the factorization algorithm. 
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Algorithm Generalized Wiener Attack II 

INPUT: {N, e), where N = pq and ex + y = 0 mod 4>{N) for some 



unknown 0 < a; < ^ 



4>{N) N4 



— and |j/| < — H— 2-^ 
P-9 - 0(AT)Ari 



1. Set N' = N — [2\/N\ and compute the continued fraction expansion of 

e 

N' ■ 

2. For every convergent ^ of the expansion: 

(a) Compute s = N + 1 — t = s'^ — 4A and p = i(s + t). 

(b) Apply Coppersmith’s algorithm to the candidates p + {2k + l)Ni 
for k = —3, —2, . . . ,2: If Coppersmith’s algorithm outputs the fac- 
torization of N, then stop. 



OUTPUT: 







5 There Are ^ Weak RSA-keys 



In Section 4, we showed that every public key tuple {N, e) that satisfies a relation 
ex + y = 0 mod </)(A), with 



0<x<- 



1 U{N) Ni 



e p-q 



and |j/| < 



p-q 

(j){N)Ni 



ex. 



( 5 ) 



yields the factorization of N in polynomial time. Those tuples {N, e) are weak 
keys that should not be used in the design of a crypto-system. Let us formalize 
the notion of weak keys. 

Definition 5 Let C he a class of RS A public keys {N,e). The size of the class 
C is defined by 

sizec{N) = \{e e ZJ(jv) I (N,e) G C}\. 

C is called weak if: 

1. sizec{N) = Q{N~^) for some 7 > 0. 

2. There exists a probabilistic algorithm A that on every input {N, e) G C out- 
puts the factorization of N in time polynomial in log(A). 

The elements of a weak class are called weak keys. 



Our variant of Wiener’s attack in Section 4 defines a weak class C. The question 
we will study in this chapter is, how large this weak class is. 

What bounds can we expect for sizec(A)? As a first estimate we can sum 
over all tuples {x^y) within the bounds given by the inequalities in (5). This 
gives us an upper bound on the size of C . Therefore, we have at most 
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sizec{N) < 



( 1 Ni \ 

e p-qj 



e P-Q 

(j){N) Ni \P~^j 



(6) 



weak keys. This is an upper bound on sizec(.^) since: 

— Different tuples (x, y) might define the same public exponent e. 

— Some of the tuples (x, y) do not even define a legitimate public key e, e.g. a 
key e G 

Instead of an upper bound on sizec(fV), we are interested in a lower bound. 
Namely, we want to know the minimal number of public exponents e G 
that yield the factorization for some fixed modulus N. In this section we will 
prove a lower bound for sizec(iV). 

As the result we obtain that our lower bound almost perfectly matches the 
upper bound: li p — q = 4 7 > 0, we obtain a lower bound of 

sizec{N) = fi 

Let us have a closer look at this result. In the common RSA case, we have 
p — q = 0{N which implies a bound of 

sizec(A^) = 12 

weak RSA key tuples {N, e). 

On the other hand, we know that Fermat’s factorization algorithm yields the 
factorization of N in polynomial time if p — q = 0{N^). But the number of 
weak keys for p — q = A^i+^, 0 < 7 < |; is That means that the 

number of weak keys scales almost perfectly with the prime difference p — q. As 
p — q decreases, the number of weak key tuples increases and as 7 approaches 
zero almost all keys are weak. This corresponds to the fact that for 7 = 0, all 
tuples {N, e) are weak because one can find the factorization of N in polynomial 
time with Fermat’s algorithm. 

We will now prove the lower bound result, where we use the following main 
lemma. 




Lemma 6 Let f{N,e), g{N,e) be functions such that f‘^{N,e)g{N,e) < (j>{N), 
f{N,e) > 2 and g{N,e) < f{N,e). The number of public keys e G 

e > that satisfy an equation ex + y = Q mod 4>{N) for x < f{N, e) and 

|y| < g{N,e)x is at least 



f\N,e)g{N,e) 

81oglog^(iV2) 






where e > 0 is arbitrarily small for N suitably large. 

Using Lemma 6, we can immediately prove our lower bound theorem. 
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Theorem 7 Let p — q = with 0 < 7 < j. Further, let C be the weak 

class that is given by the public key tuples {N, e) defined in Theorem 4 with the 
additional restriction that e G ® Then 



sizec{N) = Q 



/ \ 
Vloglog2(iV2)j ■ 



Proof: Using the bounds of (5), we define 



f{N,e) = - 



1 U{N) Ni 



and g{N, e) = 



e p-q 



e p-q 

It can be easily checked that these settings fulfill the requirements of Lemma 6: 
f{N, e)g{N, e) < f{N, e) > 2 and g{N, e) < f{N, e). 



Hence, we can apply Lemma 6. Since g{N, e) = l7(iV'>'), the term 

P{N,e)g{N,e) 

81oglog^(iV2) 

dominates the error term 0{f'^{N, e)N'^). 

Using P{N, e)g{N, e) = and p — q = iV^+T' proves the claim. □ 



We obtain the following corollary. 

Corollary 8 Let C be the weak class that is given by the public key tuples {N, e) 
defined in Theorem 2 with the additional restriction that e G e > 

Then 

f Ni \ 

sizec(N) = LI ^ 

\^iogiog^(iv2)y 

It remains to prove Lemma 6. Since the proof is technical, we describe just 
the rough idea and leave the details to the full version of the paper. 

As denoted before, different tuples {x, y) might define the same public expo- 
nent e and some tuples (x, y) do not define a legitimate key Therefore, 

we define a suitably large subclass T of all tuples {x, y) within the given bounds 
X < f{N,e) and |?/| < g{N,e)x such that different tuples define different legiti- 
mate keys e. 
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Abstract. We describe a cryptanalysis of a public-key encryption sche- 
me based on the polynomial reconstruction problem, published at Euro- 
crypt 2003 by Augot and Finiasz. Given the public-key and a ciphertext, 
we recover the corresponding plaintext in polynomial time. Our tech- 
nique is a variant of the Berlekamp- Welsh algorithm. We also describe 
a cryptanalysis of the reparation published by the authors on the lACR 
eprint archive, using a variant of the previous attack. Both attacks are 
practical as given the public-key and a ciphertext, one recovers the plain- 
text in a few minutes on a single PC. 



Key- Words: Cryptanalysis, Augot and Finiasz cryptosystem, Polynomial 
Reconstruction Problem, Reed-Solomon codes. 

1 Introduction 

We describe a cryptanalysis of a public-key encryption scheme recently proposed 
by Augot and Finiasz [1]. The scheme is based on the polynomial reconstruction 
(PR) problem [10], which is the following: 

Problem 1 (Polynomial Reconstruction). Given n,k,uj and (a^i, j/i)i=i. .n; output 
any polynomial p such that degp < k and p{xi) = yi for at least n — uj values of 

i. 



This problem has an equivalent formulation in terms of the decoding of 
Reed-Solomon error-correcting codes [11]. The problem can be solved in poly- 
nomial time when the number of errors u) is such that lo < (n — k)/2, using the 
Berlekamp- Welsh algorithm [3]. This has been improved to w < n — ^/kn by 
Guruswami and Sudan [7]. 

When the number of errors is larger, no polynomial time algorithm is known 
for the PR problem. Therefore, some cryptosystem have been constructed based 
on the hardness of the PR problem; for example, an oblivious polynomial eval- 
uation scheme [10], and a semantically secure symmetric cipher [8]. 



F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 14-27, 2004. 
(c) International Association for Cryptologic Research 2004 
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At Eurocrypt 2003, Augot and Finiasz proposed a new public-key encryp- 
tion scheme based on the polynomial reconstruction problem [1]. A security level 
exponential in terms of the parameters was conjectured. However, we provide a 
complete cryptanalysis of the cryptosystem: given the public key pk and a cipher- 
text c, we recover the corresponding plaintext m in polynomial time. Therefore, 
the scheme is not one-way and cannot be used in any application. Our technique 
is a variant of the Berlekamp- Welsh algorithm [3] for solving the PR problem. 

After the publication of our attack in the lACR eprint archive [5] , a reparation 
of the cryptosystem was published by Augot, Finiasz and Loidreau in [2]. The 
reparation is based on the trace operator, and is resistant against the previous 
attack. However, we describe a new cryptanalysis of the repaired scheme. Given 
the public-key and a ciphertext, we can still recover the corresponding plaintext 
in polynomial time. Our technique is again a variant of the Berlekamp- Welsh al- 
gorithm. Both attacks work very well in practice, as for the proposed parameters, 
one recovers the plaintext in a few minutes on a single PC. 

2 Augot and Finiasz’ Cryptosystem 

In this section, we recall the original cryptosystem proposed by Augot and Fini- 
asz at Eurocrypt 2003. As in [1], we first recall some basic definitions of Reed- 
Solomon codes. 

2.1 Reed-Solomon Codes 

Let Fq be the finite field with q elements and let , • • • , be n distinct elements 
of Fq. We denote by ev the following map: 

(Fq[X]^F^ 

' \p{X) ^ {p{xi),...,p{xn)) 

Definition 1. The Reed-Solomon code of dimension k and length n over Fq is 
the following set of n-tuples (codewords): 

RSk = {ev{f);f G F,[A],deg/ < k} 

where is the set of univariate polynomials with coefficients in Fq. 

The weight of a word c G F” is the number of non-zero coordinates in c. The 
Hamming distance between two words x and y is the weight oi x — y. Formally, 
the problem of decoding Reed-Solomon code is the following: 

Problem 2 (Reed-Solomon decoding). Given a Reed-Solomon code RSk of length 
n, ui an integer and a word y G F”, find any codeword in RSk at distance less 
than ijj oi y. 

The smallest weight of non-zero codewords in RSk is n — /c -I- 1. Therefore, 
when u < {n — k)/2, the solution to Reed-Solomon decoding is guaranteed to be 
unique. It is easy to see that the Polynomial Reconstruction problem and the 
Reed-Solomon decoding problem are equivalent. Both problems can be solved in 
polynomial time when w < (n — k)/2, using the Berlekamp- Welsh algorithm [3]. 
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2.2 Augot and Finiasz’ Cryptosystem 

In the following, we briefly review Augot and Finiasz public-key cryptosystem 

[!]• 



Parameters: q is the size of Fq, n is the length of the Reed-Solomon code, k its 
dimension, W is the weight of a large error, so that the PR problem for n, k, W 
is believed to be hard, i.e. we must have: 



W > 



n — k 
2 



uj is the weight of a small error, for which the PR problem with n—W coordinates 
is easy: 



OJ < 

It is recommended in [I] to take n = 



n — W — k 
2 

1024, k = 900, oj 



25, W = 74 and q 



( 1 ) 

2»o. 



Key Generation: Generate a unitary polynomial p of degree k — 1, and a 
random n-dimensional vector E of weight W . Compute the codeword c = ev{p) 
of RSk- The public key is z = c + E, while the private key is (p, E). 



Encryption: Let m a message of length k—1 over the alphabet Eq. The message 
m is seen as a polynomial m{X) = toq -I- miX . -I- nik-iX^~‘^ of degree at 
most k — 2. Generate a random a G Eq and a random error e of weight to. The 
ciphertext y is then: 

y = ev(jn) -fax (c -I- E) -|- e 



Decryption: One considers only the positions where Ei = 0 and define the 
shortened code of length n — W, which is also a Reed-Solomon code of dimension 
k, which we denote RSk- Let y,ev{m),c,e be the shortened y,ev{m),c,e. One 
must solve the equation: 



y = ev(jn) -fax c -I- e 

We have W(m) + ax c G RSk, and from (1), the weight of the small error e is less 
than the error correction capacity of RSk', therefore, using the Berlekamp- Welsh 
algorithm, one can recover the unique polynomial r of degree k — 1 such that: 

ev(r) = ctJ(to) -|- a X c 



which gives 



r = m + a • p 



Since deg(m) < k — 2 and p is a unitary polynomial of degree k—1, the held 
element a is the leading coefficient of r. Therefore one can recover m as: 



m = r — a ■ p 
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3 Our Attack 

The attack is a variant of the Berlekamp- Welsh algorithm for solving the PR 
problem (see [6]). 

Let n, k, W, uj and q be the parameters of the system. Let {p, E) be the private 
key and z = ev{p) + E be the public-key. Let m be the plaintext encoded as a 
polynomial of degree less than k — 2. Let e be an error vector of weight oj, and 
a be a field element. Let 



y = ev{m) + a y. z + e (2) 

be the corresponding ciphertext. 

Theorem 1. Given the puhlic-key z and the ciphertext y, one can recover the 
corresponding plaintext m in polynomial time. 

Proof. Let j/i, Zi and be the components of the words y, z and e. Given y and 
0 , one must solve the following set of equations: 

3e, m, a, yi = m{xi) + a • Zi + Ci for all 1 < i < n (3) 



where the weight of e is less than oj. Note that from the definition of the cryp- 
tosystem, there is a unique solution. 

Consider the following set of equations: 



r deg(P) < w, V ^ 0, deg(m) < k — 2 
[Vi, V {xi) ■ {yi - a ■ Zi) = V {xf) ■ m{xi) 



Any solution V,m,a of (4) gives a solution to (3). Namely, the fact that 
y yf 0 and degP < uj implies that V can be equal to zero at most uj times. 
Therefore, letting Ci = yi — m{xi) — a ■ Zi, the weight of e is less than uj. 

Conversely, any solution to (3) gives a solution to (4). Namely, one can take 
V{X) = riiGs(^ ~ ^ ~ problem of solving (3) can 

thus be reduced to finding V, m, a satisfying (4). Consider now the following set 
of equations: 



r deg(y) <uj, y yf 0, deg(A^) < k + uj — 1 
[Vi, V{xi) ■ {yi- Zi) = N{xi) 



The system (5) is a linearized version of (4), in which one has replaced the 
product V{xi) ■ m{xi) by N{xi). It is easy to see that any solution of (4) gives 
a solution to (5), as one can take A = a and N = m ■ V. However, the converse 
is not necessarily true. 

For a given A, the system (5) gives a linear system of n equations in the 
k + 2 ■ UJ + 1 unknown, which are the coefficients of the polynomials V and N . 
More precisely, denoting: 



CO k-\-co — l 

V{X) = Y^v,-X\ N{X)= Y, m-x^ 



2=0 



2=0 
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and V the vector of coordinates: 



^ (^Oj * * * 5 ‘^UJy ^0? ‘ ‘ ‘ 7 ^k+uj — l) 



one let M(A) be the matrix of the system: 

^ ' 'J 1 — f'r. y ^ i if /,7 ^ Z:’ 



^ ^ ^ ifu;<j<A; + 2a;+l 

The matrix M (A) is a rectangular matrix with n lines and k + 2 uj + 1 columns; 
from (1) we have that n > k + 2u! + 1. The coefficients of M(A) are a function 
of the public-key and the ciphertext only. The system (5) is then equivalent to: 

3T,A, M(A).r = 0, r yf 0 (6) 

We consider the matrix M(A) with A = 0. Using Gaussian elimination, we 
compute the rank of the matrix M(0). We distinguishe two cases: rank M(0) = 
k + 2u + 1, and rank M{0) < k + 2u + \ . 

If rank M(0) = k + 2uj + 1, then there exists a square sub-matrix of M(0) 
of dimension k + 2 lo + I which is invertible. Without loss of generality, one can 
assume that the matrix obtained by taking the first k + 2oj + \ lines of M(0) is 
invertible. Let M'(A) be the square matrix obtained by taking the first k + 2uj + \ 
lines of M(A). Any solution F, A of (6) satisfies: 

M'(A).F = 0, Fyf 0 

which implies that the matrix M'(A) is non-invertible, i.e. det(M(A)) = 0. Then, 
the solution a in system (4) must be a root of the function: 

/(A) = Det(M'(A)) 



which is a polynomial of degree at most uj+1. The polynomial / is not identically 
zero, because M'(0) is invertible, which implies /(O) yf 0. The polynomial / can 
easily be obtained from the public-key z and the ciphertext y by computing 
/(A) = Det(M'(A)) for a; -I- 2 distinct values of A and then using Lagrange 
interpolation. 

The factorization of a polynomial over a finite-field can be done in polyno- 
mial time (see for example [13]). Therefore, one obtains a list of at most oj + 1 
candidates, one of which being the solution a of (4), and equivalently, of (3). 
For the right candidate a, the vector y — a x z is equal to ev{m) + e, where the 
weight of e is less than the error correcting capacity of the Reed-Solomon code. 
Therefore, using Berlekamp- Welsh algorithm, one recovers the plaintext m from 
y — a X z in polynomial time. 

More precisely, let a, m, e be the solution of (3). Given a solution V, N, A of 
(5) with A = Of, we have for all 1 < z < fc -I- 2 • w -I- 1 : 



V (xi) ■ {m{xi) + 6i) = N{xi) 
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Since the error vector e has a weight at most lo, we have for at least u) + k + 1 
values of i: 

V{xi) ■ m{xi) = N{xi) 

N and V ■ m are therefore two polynomials of degree less than uj + k — 1 which 
take the same value on at least a; -I- fc -I- 1 distinct points; consequently, the two 
polynomials must be equal. This means that one can recover m by performing 
a polynomial division: 

N 

m=- 

Therefore, one can recover the plaintext in polynomial time. 

Let us now consider the second case, i.e. rank M(0) < k + 2oj+l. Then there 
exists F yf 0 such that M{0).Y = 0. The vector Y gives the coefficients of two 
polynomials V and N such that for all 1 < i < n: 



V(xi) • yt = N{x^) 



From (2) we have yi = m{xi) + a ■ (p{xi) + Ei) + a, which gives for all i: 

V{xi) ■ {{m + a ■ p){xi) + a ■ Ei + Ci) = N{xi) 

The weight of E is at most W and the weight of e is at most uj. Moreover, from 
(1) we have n > k + 2uj + W. Therefore, for at least oj + k values of i, we have: 

V(xi) ■ {m + a- p)(xj) = N{xi) 

As previously, V • (m + a • p) and N are two polynomials of degree less than 
k+uj—1 which take the same value on at least to+k distinct points; consequently, 
they must be equal, which gives: 



N 

m + a ■ p = — 

Since the polynomial p is unitary and degp = k — 1 and degm < fc — 2, this 
enables to recover a. Then, as previously, given a, we recover m in polynomial 
time^. □ 

4 The Repaired Cryptosystem 

In this section, we describe the repaired cryptosystem published in [2]. The new 
cryptosystem is resistant against the previous attack. The reparation is based on 
working in the subfield of a given field, and using the trace operator. Following 
[2], we recall these notions in the next section. 

^ In this second case, we can also recover the private key (p,E). It has been shown in 
[9] that this second case happens with negligible probability. 
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4.1 Subfields and Trace Operator 

We consider the finite field GF(<7“), where q is the power of a prime integer. 
The finite field GF{q) is a subfield of GF((7"). The finite field GF((7") can be 
viewed as a u-dimensional vector space over GF(g). Let 71, . . . ,7„ be a basis of 
GF(g“) over GF((7), then every element a G GF((7") can be uniquely written 
a = J 2 i=i where a* G GF(g). 

Definition 2. The trace operator of GF(q^) into GF{q) is defined by: 

Vx G GF{q^), Tr{x) = x + + . . . + x® 

The trace operator is a GF((7)-linear mapping (and not GF((7")-linear) of 
GF(<7“) into GF((7). For any basis 71,..., 7„ of GF((7"), there exists a unique 
dual basis 7*, . . . , 7* with respect to the Trace operator. The dual basis is such 
that: 

Tr(7i7j) = 1 if f = j, and 0 otherwise 
The dual basis can be efficiently computed. 

We extend the trace operator to vectors: 



Tr(ci,...,c„) = (Tr(ci),...,Tr(c„)) 

and to polynomials: for any polynomial p G GF((7“)[7f], p{x) 
define the polynomial Tr(p) G GF(g)[7f] as: 



E 



2=0 



we 



Tr(p)(x) = ^Tr(p,)x* 

i=0 

Let xi, • • • ,x„ be n distinct elements of GF(<7) G GF((7"). As in section 2.1 we 
denote by ev the following map: 

fGF(g“)[A]^GF(g“)" 

■ \p(A) ^ (p(xi),...,p(x„)) 



Proposition 1. For all p G GF{q^)[X], we have Tr{ev{p)) = ev{Tr{p)) 

Proof. The j-th component of Tr(ex(p)) is 

k 

Tr(p(x,))=Tr(^p,.(x,r) 

i =0 

From the GF(g)-linearity of the Trace operator and the fact that Xj G GF((7), 
we obtain: 

k 

Tr{p{xj)) = ^Tr(p,)(xj)* 

2=0 

which is the j-th component of ei;(Tr(p)). □ 
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As in section 2.1, we define the Reed-Solomon code of dimension k and length 
n over GF(< 7 “) as the following set of n-tuples (codewords): 

RSk = {evifyje GF(g“)[A],deg/ < k} 

4.2 The Repaired Cryptosystem 

In this section, we recall the repaired cryptosystem [2]. 



Parameters: A finite field GF(( 7 "), an integer n as the length of the Reed- 
Solomon code, k its dimension, W is the weight of a large error, lu is the weight 
of a small error, for which the PR problem with n — W coordinates is easy: 



w < 



n — W — k 
2 



( 7 ) 



The authors of the repaired cryptosystem recommend in [2] to take q = 2^°, 
u = A,n= 2048, k = 1400, W = 546 and oj = 49. ^ 



Key Generation: Generate a random polynomial p of degree k—1 over GF(g“), 
such that the u coefficients Pk-i, ■ ■ ■ ,Pk-u form a basis of GF(g“) over GF(( 7 ). 
Gompute c = ev{p) € RSk- Generate a random n-dimensional vector E of weight 
W with coefficients in GF(< 7 “). The public- key is the vector K = c + E over 
GF(< 7 “). The private key is (p,E). 



Encryption: Let m a message of length k — u over the alphabet GF(g). The 
message m is seen as a polynomial m{X) = rrio + niiX -|- . . . -I- in 

GF(g)[A]. Generate a random a € GF(g“) and a random vector e of weight cj 
over GF(g). The ciphertext y is then: 

y = ev(m) + Tr(o; • K) + e 



Decryption: One considers only the positions where Ei = 0 and define the 
shortened code of length n — W, which is also a Reed-Solomon code of dimension 
k, which we denote RSk- Let y,c,e be the shortened y,c,e and let eiJ be the 
shortened map ev. One must solve the equation: 

y = ev(jn) + Tr(o; • c) -|- e 

Using proposition 1, we have: 

Tr(a • c) = Tr(a • ev{p)) = Tr(etJ(ap)) = Ev{Tr{ap)) 

^ Actually, the authors of [2] forgot to clearly specify k, but they state that with these 
parameters, “a plaintext consists of fc — u elements in GF(2^°), that is 27920 bits”, 
from which we infer that k = 27920/20 + 4 = 1400 
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Thus W{m) + Tr(o; • c) = ev{m + Tr{ap)) G RSk, and from (7), the weight of the 
small error e is less than the error correction capacity of RSk', therefore, using 
the Berlekamp- Welsh algorithm, one can recover the polynomial q = m+Tr(o;p). 

Letting q = since deg(m) < fc — m — 1, we have qi = Tr(api) 

for i = k — u, . . . , k — 1. This gives the u coordinates of a in the dual basis 
of Pk-UT ■ ■ ,Pk-i, from which we derive a. From a one recovers m as m = 
q — Tr(ap). 



5 The Attack against the Repaired Cryptosystem 

In this section, we describe an attack that breaks the repaired cryptosystem. 
Given the public key and a ciphertext, we recover the plaintext in polynomial 
time. As the attack of section 3, it is a variant of the Berlekamp- Welsh algorithm, 
but as opposed to the previous attack, it is only a heuristic (but it works very 
well in practice). 

Let GF(( 7 “), n, k, W, uj be the parameters of the system. Let (p,E) be the 
private key and K = ev{p) + E be the public-key. Let m be the plaintext encoded 
as a polynomial of degree less than k — u — 1. Let e be an error vector of weight 
u), and a € GF(g“). Let 



y = ev(m) + Tr(a • K) + e 



be the corresponding ciphertext. 



Let 7 i, . . . , 7 „ be a basis of GF(( 7 ”) over GF(g). We write a 
at G GF(< 7 ). We have 



U 

It where 



Tr(a • ^) = ^ aiTr( 7 f • K) 



For t = 1, . . . ,u, we define: 

Kt = Tr(7t • K) 

Note that the u vectors Kt are vectors over GF{q) which can be computed from 
the public-key K . Finally the ciphertext can be written as: 



U 

y = ev{m) + '^afKt + e ( 8 ) 

i=l 

Note that in equation (8), all computation is done in the subfield GF(< 7 ). Let 
yi, Kt^i and be the components of the vectors y,Kt and e. Given y and Kt, 
one must solve the following set of equations: 

U 

3e,m,ai, . . . yt = m{xi) + ^ at • Kt^i + for all 1 < i < n (9) 
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where the weight of e is u>. Note that from the definition of the cryptosystem, 
there is a unique solution. 

Let V, R\,...,Ru be polynomials of degree at most u, with V ^ Q. Let N 
be a polynomial of degree at most m + k — u — 1. Consider the following set of 
equations, where the unknown are the polynomials V , i?i, . . . , and N\ 

U 

VzG[l,n], V{xt) ■ Ui = N{xt) + Rt{xt) (10) 

t=i 

It is clear that given a solution to system (9), one can obtain a solution to 
system (10) with V ^ 0. Namely, one can take V(X) = Y\^^g{X — Xi) with 
B = {i\ei ^ 0}, and Ri = at -V for t = 1, . . . , m, and N = m ■ V . This shows 
that the system (10) has at least a non-zero solution. 

The system (10) gives a homogeneous linear system of n equations in the 
k + {u + 2) ■ u + 1 unknowns, which are the coefficients of the polynomials 
V, Ri,. . . ,Ru and N. Let M be the matrix of the corresponding system. The 
matrix has k + {u + 2) ■ uj + 1 columns and n rows and can be computed from 
the ciphertext and the public-key. In the following, we assume that: 

n > k + {u + 2) ■ CO (11) 

This inequality is valid for the proposed parameters. Since the system (10) has 
at least a non-zero solution, the matrix cannot be of maximum rank, therefore 
rank M < k + {u + 2) ■ u. 

In the following, we assume that rank M = k + {u + 2) ■ ui. This is the 
only assumption that we make for our cryptanalysis. It seems that in practice, 
this assumption is always satisfied. In this case, the kernel of M is a linear 
space of dimension 1. We have already seen that V{X) = ~ ^i) 

B = {i\et ^ 0}, and Rt = at -V for t = 1, . . . , u and N = ni ■ V is a, solution to 
the system (10), and so {V,Ri,..., Rt, N) generates the kernel of M . 

Therefore, if we compute by Gaussian elimination an element (V' , R[, . . . , R[^, 
N') in ker M, we must have that V = X ■ V, R't = XRt for t = 1, . . . ,u and 
N' = X ■ N for some A G GF{q) with A yf 0. Therefore, we have N' = X ■ N = 
X ■ m ■ V = m ■ V' and we can recover m by doing a polynomial division: 

N' 

To summarize, assuming that rank M = k + (u + 2) ■ to, we recover the plaintext 
from the public-key and the ciphertext in polynomial time. 

6 Practical Experiments 

In appendix, we illustrate the attack against the original Augot and Finiasz’ 
cryptosystem for small parameters. We have also implemented our attack using 
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Shoup’s NTL library [12]. The attack works well in practice. For the recom- 
mended parameters (n = 1024, k = 900, w = 25, IF = 74, g = 2®°), it takes 
roughly 30 minutes on a single PC to recover the plaintext from the ciphertext 
and the public-key. We have also implemented our attack against the repaired 
cryptosystem, and for the recommended parameters, it takes roughly 8 minutes 
on a single PC to recover the plaintext from the ciphertext and the public-key. 

7 Discussion 

In this section, we try to see if it is possible to modify the parameters of the 
scheme in order to resist to the previous attack. The only condition on the 
parameters for the attack to work is inequality (11). Therefore, one may try to 
increase k,u or u> while keeping n constant. In the following, we show that this is 
not possible. Namely, we describe another attack on the repaired cryptosystem 
that recovers the private-key from the public-key. The attack does not work for 
the recommended parameters, but applies for large u. 

The attack is the following. Let K = ev(p) + E he the public-key with 
the n components Ki, where degp = k — 1 and the weight of if is W. The 
Berlekamp- Welsh algorithm for recovering p from K is the following: it looks for 
two polynomials V and N such that deg V = W, deg N = k + W —1 and F yf 0, 
such that: 

Vz G [l,n\,V{x^) ■ = N{xi) 

This gives a homogeneous linear system of n equations in k + 2-W +\ unknown. 
This system has a non-zero solution as we can take V{X) = — Xi) with 

B = {i\Ei yf 0} and N = p -V. Letting V, N be any non-zero solution, we have 
for at least n — W values of z: 



V{xi) •_p(xj) = N{xi) 

Therefore, if n — W > k + W — 1, or equivalently, 

n>k + 2-W (12) 



the polynomials V ■ p and N must be equal, which enables to recover p as 
p = N/V. 

As in the attack of section 5, from K we derive the u vectors Kt for t = 
1, . . . , zz such that: 

Kt = Tr(7t • K) 

where 71 , . . . , 7 „ is a basis of GF(g“) over GF(( 7 ). Then we have: 

Kt = Tr( 7 t • {ev{p) + E)) = ez;(Tr( 7 t • p)) + Tr( 7 t • E) 

Letting pt = Tr( 7 i • p) and Et = Tr( 7 i • E), we can write: 



V< G [l,u],Kt = ev{pt) + Et 
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Therefore, we obtain a set of u vectors Kt which are evaluation of a polynomial pt 
plus some error Et . Thus we obtain u instances of the polynomial reconstruction 
problem over GF(( 7 ). 

The key observation is that the instances are not independent because the 
errors occur is the same positions in all vectors Et. This enables to derive the 
following improved attack: we look for a polynomial K yf 0, deg V < W and 
polynomials , fV„, deg Nt < k + W — 1 such that: 

r V{xi)-Ki^i = Ni{xi) 

Vi G [l,n], < 

[ V(xi) ■ Ku,i = Nu{xi) 

We can take the same polynomial V for each t G [1,m] because the errors are 
in the same positions for all Et- This gives a system of u • n equations in the 
u-k+{u+l)-W + l unknowns. Let M be the corresponding matrix. It has u ■ n 
rows and u-k + {u + l)-W+l columns. We assume that: 

u-n>u-k + {u+l)-W (13) 

The system has a non-zero solution. Therefore, the matrix cannot be of maximum 
rank, therefore rank M < u ■ k + {u+ 1) ■ W. In the following, we assume that 
rank M = u - k + (u+1) -W. This makes our attack heuristic, but the heuristic 
works well in practice. In this case, as in section 5, the kernel of M is a linear 
space of dimension one, and given a solution (V, Ni , . . . , N^), one can recover the 
polynomials pt as pt = Nt/V and then recover the private key (p, E). A similar 
approach was already used in [4] for the decoding of interleaved Reed-Solomon 
codes. 

The inequality (13) gives the following condition for the attack to work: 

It “h 1 

n> k -\ • W 

u 

which is an improvement over (12). Note that for the recommended parameters 
in [2], the attack does not apply. Therefore, to prevent this attack, one must 
have: 

u 1 

n < k -\ -W (14) 

u 

Then, combining inequality (14) with inequality (7) which is necessary to be 
able to decrypt, one must have: 

n>k + 2-{u+l)-ijj 

which shows that condition (11) of the attack of section 5 is always satisfied. 
Therefore, there is no set of parameters which makes the repaired cryptosystem 
secure against both attacks. 
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8 Conclusion 

We have broken the cryptosystem published by Augot and Finiasz at Eurocrypt 
2003 and its reparation in [2] . In both cases, our attack recover the plaintext from 
the ciphertext and the public-key in polynomial time. Moreover, both attack 
work well in practice, as for the recommended parameters, one recovers the 
plaintext in a few minutes on a single PC. 
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A A Toy Example 

In this section we illustrate the attack for small parameters. We take n = 8, 
k = 3, uj = 1, W = 3. We work modulo q = 11. We take Xi = i for i = 1, . . . ,8. 
We take: 



p{x) = x'^ + 5x + 3 
E= (0,0, 4, 0,7, 6, 0,0) 

for the private key. The public- key is: 

z = ev{p) + E = {9, 6 , 9, 6 , 5, 9, 10, 8) 

Let the message m be m{x) = 8a; -I- 2. Let a = 7 and e = (0, 5, 0, 0, 0, 0, 0, 0). 
The ciphertext y is: 

y = ev{m) + a x z + e = {7 ,10,1, 10, 0, 3, 7, 1) 

The matrix M(A) is then: 



M(A) 



7- 9A 7- 9A 10 10 10 10 
10-6A 9- A 10 9 7 3 
1-9A 3-5A 10 8 2 6 
10-6A 7-2A 10 7 6 2 
-5A -3A 10 6 8 7 

3-9A 7- lOA 10 5 8 4 
7- lOA 5-4A 10 4 6 9 
1-8A 8-9A 10 3 2 5 



The determinant /(A) of the matrix M'(A) obtained by taking the first 6 lines 
of M(A) is equal to: 



/(A) = det M'(A) = 3A^ -b 5A -b 5 
which factors modulo g = 11 into: 

/(A) = 3-(A-6)-(A-7) 

For A = 7, the matrix M'{7) is non-invertible. We solve the linear system and 
find that Y = (8, 7, 5, 1, 1, 0) is such that M{7).Y = 0; this gives V{x) = 7x + 8 
and A^(a;) = a:^ -b a; -b 5, which gives modulo q = lY. 

m{x) = N{x)/V (x) = 8x -b 2 
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Abstract. Let E be an elliptic curve defined over F 2 . The inverse op- 
eration of point doubling, called point halving, can be done np to three 
times as fast as doubling. Some authors have therefore proposed to per- 
form a scalar multiplication by an “halve-and-add” algorithm, which is 
faster than the classical donble-and-add method. 

If the coefficients of the equation dehning the curve lie in a small subfield 
of F 2 , one can use the Frobenius endomorphism r of the held extension 
to replace doublings. Since the cost of r is negligible if normal bases are 
used, the scalar multiplication is written in “base r” and the resulting 
“r-and-add” algorithm gives very good performance. 

For elliptic Koblitz curves, this work combines the two ideas for the hrst 
time to achieve a novel decomposition of the scalar. This gives a new 
scalar multiplication algorithm which is up to 14.29% faster than the 
Frobenius method, without any additional precomputation. 

Keywords. Koblitz curves, scalar multiplication, point halving, r-adic 
expansion, integer decomposition. 



1 Introduction 

In 1985 Miller [9] and Koblitz [7] independently proposed to use the group of 
rational points of an elliptic curve over a finite field to create cryptosystems 
based on the discrete logarithm problem (DLP). 
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The basic operation of a DLP-based cryptosystem is the scalar multiplication, 
i.e. given a point P and an integer s, to compute sP. Some families of elliptic 
curves have arithmetic properties useful for speeding up this operation. One such 
family consists of the Kohlitz curves: These curves, first proposed by Koblitz [8] 
and called anomalous binary curves by Solinas in [14], are defined over F 2 by 
equations of the form 

Ea '■ + xy = + ax^ + 1 with a € {0, 1} . (1) 

The present paper is devoted to scalar multiplication on Koblitz curves. We 
restrict our attention to those curves for which n is prime, and whose rational 
point group contains a (unique) subgroup of large prime order p with a cofactor 
at most 4, such as those in the standards [17,18]. 

Let T denote the Frobenius endomorphism T{x,y) = {x^,y‘^) and P be a 
point of order p on Ea- As t commutes with point addition, t{P) also has order 
p, and there exists a scalar A with r(P) = AP. This suggests that r may be used 
to compute multiples of P. In fact, we can write a “r-adic expansion associated 
to the scalar s”, i.e. an expression of the form with Si € {0,±1}, 

such that ^ ^ Ea {¥2 ). Then a “r-and-add” loop is 

used to compute sP. Since t is much faster than a point doubling, the resulting 
method is very efficient. 

Knudsen [5] and Schroeppel [12] independently proposed a technique for 
elliptic curves over binary fields based on point halving. This method computes 
the multiple R of any point P of odd order such that 2R = P and R G (P). 
Since for curves of order 2p point halving is up to three times as fast as doubling, 
it is possible to improve performance of scalar multiplication by expanding the 
scalar using “powers of 1/2” and replacing the double- and- add algorithm with 
a halve-and-add method. 

In our paper, we combine for the first time the t-NAF approach with a single 
point halving, thereby reducing the amount of point additions from n/3 to 2n/7, 
and providing an asymptotic speed-up of about 14.29%. The idea is that it is pos- 
sible, using a single point halving, to replace some sequences of a t-NAF having 
density 1/2 (and containing at least three non-zero coefficients) with sequences 
having weight 2. 

In the next section we collect some basic facts about r-NAFs and point halv- 
ing. In Section 3, we describe our new scalar decomposition, prove its correct- 
ness, and apply it to the computation of scalar multiplications. The complexity 
analysis is given in Section 4. In Section 5 we conclude. 

Acknowledgements. The authors express their gratitude to Darrel Hankerson, 
Tanja Lange, Nicolas Theriault and to the anonymous referees for the many 
useful suggestions for improving the paper. The authors also thank Jean-Jacques 
Quisquater for fruitful discussions and support. 
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2 Background Concepts 

2.1 T Non Adjacent Forms 

All facts here are stated without proofs: These are found in [14,15]. 

Let the Koblitz curve Eg, defined over F 2 by equation (1) have a (unique) 
subgroup G of large prime order p with a cofactor at most 4. Let r denote 
the Frobenius endomorphism. It is easy to see that for each point P we have 
(r2 + 2)P = plt{P) where p = (-1)^”“, i.e. 

r^ + 2 = /rT . (2) 

If r is identified with a complex root of equation (2), say t = (/i + -\/~7)/2, we 
can view r(P) as multiplication by r and let Z[r] operate on P. 

The T-adic non-adjacent form (r-NAF for short) of an integer z G Z[r] is a 
decomposition z = z^r* where Zj G {0, ±1} with the non-adjacency property 
ZjZj+i = 0, similarly to the classical NAF [11]. The average density (that is the 
average ratio of non-zero bits related to the total number of bits) of a r-NAF is 
1/3. Each integer z admits a unique r-NAF. The length of the r-NAF expansion 
of a randomly chosen scalar is « 2n, whereas the bit length of is « n. But, 
for any point P G Ea(¥2 ) \ Ea{V2), t^P = P and tP yf P. Since Z[r] is an 
Euclidian ring we can take the remainder of s mod (r” — l)/(r — 1) and use it in 
place of s. This remainder will have smaller norm than that of (r” — l)/(r — 1), 
and thus it will have length at most n. Its r-NAF is called the reduced r-NAF 
of s. 

The computation of an element of Z[r] of minimal norm which is congruent 
to s modulo (r” — l)/(r — 1) is a very slow operation. To overcome this problem, 
Solinas proposes to compute an element which is almost of minimal norm and 
whose computation is much faster. The length of its r-NAF (the partially reduced 
r-NAF of s) is at most n -I- a -I- 3. The corresponding r-and-add algorithm runs 
marginally slower than with the reduced r-NAF of the scalar, but the overall 
speed-up is significant. 

2.2 Point Halving 

Let if be a generic elliptic curve over F 2 by an equation of the form 

E : y'^ xy = ax^ b 

with o, 6 G F 2 (hence, not necessarily a Koblitz curve) and having a subgroup 
G < E (¥2 ) of large prime order. To a point P with affine coordinates (x, y) we 
associate the quantity Ap = x -I- f . Let P = {x,y) and R = (u,r) be points of 
E {¥2 ) \ {0} with 2i? = P. The affine coordinates of P and R are related as 
follows: 

Ap = u -\ — 
u 

X = Ap -|- Ap -l- fl 
y = u^ + x(Ap -b 1) 



( 3 ) 

( 4 ) 

( 5 ) 
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Given P, point halving consists in finding R. To do this, we have to solve (4) 
for A, (5) for u, and finally (3) for v. After some simple manipulations, we see 
that we have to perform the following operations: 



(i) 


Solve + Xr = a + X for Xr 


(6) 


(ii) 


Put t = y + x(Afj + 1) 




(hi) 


Find u with = t 


(7) 


(iv) 


Put V = t + uXr ■ 





Knudsen [5] and Schroeppel [12,13] show how to perform the necessary steps 
in an efficient way. A more thorough analysis of the costs of these steps is given 
in [3]. We shall return to this matter in Section 4. 

Point halving is an automorphism of G. So, given a point P G G, there is 
a unique R G G such that 2R = P. In other words, the equations (6) and (7) 
can always be solved in F 2 . But, they do not determine a unique point R with 
2R = P. In fact, solving them will always yield two distinct points R\ and i ?2 
such that R\ — R 2 is the unique point of order 2 of the curve. It is possible, by 
performing an additional check, to determine the point R G G, but we do not 
need that in our applications. We refer the interested reader to [5,12,13] of [3] 
for details. 

3 New Scalar Decomposition and Scalar Multiplication 

Consider a Koblitz curve Ea and adopt the notation of Subsection 2.1. Equation 
(2) implies that + 2r = — 2) = r — 2fi, hence 

2 = — ii(l + T^)r . (8) 

In particular, this means that we can compute 2P as — /i(l +t^)tP. This alone 
is not very useful, since it replaces a point doubling with one addition and three 
Frobenius operations. However, these relations become interesting if we can make 
repeated use of them: 

Lemma 1. Let P = 2R. Put Q — tR. The following equalities hold: 

( j2i-iyrAp = -P(i + (-!)''■ (I) 

\ / 

( J2i-iyT^A p + p ^ (_^ + (II) 

^ j=0 ^ 

( ^(-1)^2^^ + + (Ill) 

Proof. The first statement is simplified using (8), giving a telescopic sum 

fc-i fc-i 

^(-1)^t2^P = + r^)Q = -A^(l + ■ 

j=0 j=0 
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To prove the second equality we use the previous relation (with A: — 1 in place 
of k) in combination with the fact that P = (fj, — t)Q: 



^ 2 

' ° = - t)Q 

The verification of the third equality proceeds in a similar fashion: 

P + (-1)'=-" (t 2('=-2) + r2('=-D)P = 

=7- Ai + (-!)'=■ + (-1)'=- - t)Q 

= {-fi+ (-i)'=-V"'=-3(i -fiT + t^))q ={-fi + (-1)'=- V'=-3)g . □ 

We need more terminology and notation to describe and analyze our recoding. 

Notation. We write S = {sn ■ ■ • sjSj-i . . . siSq) for any r-adic expansion (also 
called string) X)o<i<n ~ length of the expansion S. 

Also by ■ j] we denote the sub-expansion {si . . . Sj) of S. Occasionally, we 

will encounter the string x x {si...Sj), where x = ±1. It is then understood 
that —1 X {si . . . Sj) = {—Si ... — Sj) is the bitwise complement of the original 
string. Henceforth S will denote the t-NAF expansion of any integer, namely an 
expansion as above with Sj = 0, ±1 and SjSj+i = 0. We write 1 for —1, and also 
V for (-l)b 

Definition 1. Let /C = (*0 x . . . *0x) be a substring of a t-NAF expansion S, 
where the symbols denotes a \ or a — 1C is a fc-block if it contains k elements 
*, i.e. it is of length 2k — 1. A k-block is maximal if the two digits preceding it 
and the two following it are all zero. 



Example 1. We highlight a few examples of Ac-blocks in a sequence 

2-block 3-block 

(100 loioioooioolo loloiool) . 

(maximal) (maximal) 

3-block 4-block 

We now give a practical application of Lemma 1 . 

Remark 1. Let s be an integer and P a point of odd order on a Koblitz curve. 
Let S = {si-i . . . SjSj-\ . . . Si So) be the t-NAF associated to s, so that sP = 
X)j=o SjT^ (P)- By Lemma 1, the multiples of P corresponding to some special 
/c-blocks appearing in S can be computed as suitable multiples of Q := T(ip) 
by a T-and-add method involving fewer group additions. The situation, in terms 
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of substrings of r-adic expansions, is the following (where all blocks on the left- 
hand side are fc-blocks). 



^lfc-ioifc-2o 


010l01)P = 


... 001)Q 


(i; 


length 2fc — 1 

^ jfc-2Qjfc-2ojfc-3o 


010101)P = 


length 2fc+l 

(U-^oo ... oom)Q 


(ii; 


length 2/c — 1 


.. 010101)P = 


length 2k 

(l'=“®00 ... 0/i)Q. 


(III 


length 2k — 1 




length 2k — 2 





Definition 2. We call the k-blocks of the above three types together with their 
opposites in sign good k-blocks. A maximal good k-block is a good k-block which 
cannot be further extended at its sides. 

Remark 1 suggests a strategy for saving operations in the computation of 
sP. From the r-NAF S of s, we create two r-adic expansions, 5*^^^ and by 
repeated replacements of subsequences, where: 

1 . 5(1) is obtained from S by discarding the maximal good fc-blocks for fc > 3, 
substituting them with a string of 2fc — 1 zeros; 

2 . 5*-^) consists of the weight two right-hand sequences replacing the maximal 
good /c-blocks removed from S, each at the same position where the original 
/c-block was in S, according to I, II or III. 

It is clear from Lemma 1 and Remark 1 that sP = -|- 

Remark 2. It is easy to verify that no two fc-block replacements overlap. For 
fc-blocks of types II and III this is obvious. Since a maximal fc-block of type I is 
followed by at least two zero bits (otherwise it would not be maximal), the next 
non-zero bit may only occur after the end of the replacement block. 5^^) need 
not satisfy the non-adjacency property. 

We have written down explicity the algorithm which generates 5^1) and 5*-^) 
as Algorithm 1. Note that the length of 5*-i) is equal to the length of S and that 
of 5(2) is at most the length of 5 plus two. 

The total number of non- zero coefficients in 5(i) and 5(^) is, by construction, 
no greater than that ofS. In fact, the number of non- zero coefficients decreases 
considerably on average (see Section f). We now see how to use the new recoding 
to perform a scalar multiplication. 



3.1 Field Represented Using a Normal Basis 

If n is prime, then a normal basis for F 2 exists and it is easy to construct [1]. 
Squaring an element of the field consists in a circular shift of the bits of the 
internal representation of its argument. The same holds for the inverse operation, 
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Input: A Koblitz curve with corresponding parameter /i = (—1)^ a point P 
of odd order on Ea and a scalar s with associated (partially) reduced r-NAF S 
Output: Two r-adic expansions J = li2 such that sP = S^^^P + 

where Q = t{\P) 

^ S, ^ ( 0 . . . 0 ) with #5^^^ = #5 + 2, and i ^ 0 
DO { 

X Si 

If X = 0 then { z i + 1 } 
else { 

Let fc > 1 be the largest integer such that: 

5[z + 2(A; - 1) . . . z] = a: X ( p-i 0 0 ... 1 0 1 ) 

type ^ I 

If Si+ 2 k = Si+ 2 (k-i) then { k ^ k + 1 and type ^ II , 

If Si+ 2 fc = Si+ 2 (fc-i) then { k ^ k + 1 and type ^ III } } 

(Observe that Si+2k-l = 0) 

If fc > 3 then { 

5<^)[z + 2(fc- 1) ... z] ^ (0 ... 0) 

If type = I then { s\^ 2 k ^ and < fix } 

If type = II then { s\^ 2 k-i ^ ^tid * fix } 

If type = III then { s\^ 2 k -3 ^ (— and < fix } 

} 

z <— z + 2fc 

} 

} WHILE z < #5 
Output 5*-^^) . 



Algorithm 1. New r-adic scalar recoding 



the extraction of a square root. Therefore, r, and its inverse, have the same 
minimal cost. 

To compute -L it is not necessary to precompute Q. We can 

first compute halve the result, apply a suitable power of r, and then 

resume the r-and-add loop using thus avoiding an extra point storage. We 
give a realization of this idea which processes the r-adic expansions right-to- 
left (i.e. beginning with the lowest powers of r) and using r“^ instead of r. In 
Remark 3 we will see how this allows to interleave our recoding of S into 
and 5*^^^ with the scalar multiplication. 

We begin by computing We first set a variable X to P. For each 

j = 1,2,..., ^2 — 1 with £2 = we apply r“^ to X and add P. After these 

steps X equals because we used the exponentiation algorithm from 

right to left with r“^ instead of r, so we apply 7 -^ 2 -!-" to get the correct result. 
(We use the fact that r” — 1 is 0 on E.) We then replace X with r(iX) and 

repeat the above procedure with 5*-^^ in place of S^'^\ starting from X + Sg^^P. 
We have thus Algorithm 2. 

Remark 3. Once the r-NAF S is given, there is no need to store for j = 1, 2. 
The generation of for j = 1,2 can be done twice and online, during the run 
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Input: A Koblitz curve Ea with corresponding parameter fj, = (—1)^““, a point P 
of odd order on Ea and a scalar s with associated (partially) reduced t-I\IAF S 
Output: sP 

Compute the two r-adic expansions 

4"Vfory = l,2 
from S using Algorithm 1 

( If (5 is the reduced r-NAF of s then and < n. 

If S is partially reduced then < n + a + 3. 

£2 is at most #5 + 2. ) 

X ^ 4^>p 

for j = 1 to ^2 — 1 do 

{ X ^ T-^X, and X ^X + sf>P } 

(Now X = T-‘^+'^S^^'>P) 

X ^ X ^^X 

(Here we simplified X ^ , X ^ t(|X) . 

NowX =5(^)r(ip) .) 

X ^ X + s™P 
for j = 1 to — 1 do 

{ X ^ T-'^X. and X ^ X + s^P } 

(Now 5 = T-'^i+y5(^^P + 5(^V(|P)) = T-^i+^sP) 

X ^ 

Output (X). 



Algorithm 2. New scalar multiplication algorithm, right-to-left 



of Algorithm 2. For simplicity we do not write down the resulting algorithm. The 
result is: The scalar multiplication algorithm based on the new scalar decompo- 
sition can he done without any precomputations, and without requiring storage 
for the recoding. 

3.2 Field Represented Using a Polynomial Basis 

In this case, squarings have a small, yet non-negligible cost: According to the 
experiments in [4, Section 3.5] we can assume ~ | for n = 163 and ~ tF 
n = 233. Knudsen [5] expects “the time to compute a square root in a polynomial 
basis to be equivalent to half the time to compute a field multiplication plus a very 
small overhead” . This is in the general case confirmed in [3]. So, r and have 
in general different costs. In [3] a special square root extraction algorithm is given 
if the field is represented via a trinomial: in the case of F 2233 , a good trinomial 
is f{x) = + 1 and a square root costs about |M. 

If we use Algorithm 2 to perform a scalar multiplication, we pay a penalty 
due to the increased number of Frobenius (t“^) operations. One way to overcome 
this problem is to compute using the joint representation obtained 

from 5*-^^ and S^‘^\ i.e. the sequence of pairs Shamir’s trick 

(actually due to Straus [16] and in a more general form). By Remark 2, at 
most one element in each pair is non-zero: Hence, we can use the 
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Input: A Koblitz curve Ea with corresponding parameter fj, = (—1)^““, a point P 
of odd order on Ea and a scalar s with associated (partially) reduced t-I\IAF S 
Output: sP 



Compute the two r-adic expansions 

«?Vfory = l,2 
from S using Algorithm 1 

V , o(2) p 

for j = ^2 — 2 to 0 do 

{ X ^ tX. and X ^ X + sf>P } 

(Now X = S^^'>P) 

X ^ X ^ ^X 

(Here we simplified X ^ X ^ t[^X) . 

Now X = . ) 

for j = fi — 2 to 0 do 

{ X ^ tX. and X ^ X + sf''P } 

( Now s = + 5<^)P = S^^'>P + ) 

Output (X). 



Algorithm 3. New scalar multiplication algorithm, left-to-right 



Straus-Shamir trick without the need to precompute ± Q, and we only need 
to store Q. 

A better solution when the extraction of square roots is (relatively) expensive 
is to use a variant of Algorithm 2 with r instead of r~^. We write it down as 
Algorithm 3: In this case we must store the r-adic expansion before the scalar 
multiplication, and we need to compute and store each of 5*-^^ and before 
the corresponding r-and-add loop. 

4 Analysis and Performance Aspects 

In the next subsection we prove the reduction of 14.29% in group additions 
of our method with respect to the r-and-add method based on the r-NAF. In 
Subsection 4.2 we estimate the effective improvement brought by our techniques 
by considering all group operations. 

4.1 Complexity Analysis 

The following lemma can be proved analysing the r-NAF recoding algorithm. 
Similar results hold for the usual NAF (see for example [2]). 

Lemma 2. In a t-NAF the probability that the digit immediately to the left of 
a 0 is another 0 zs ^ and that it is 1 or —1 is j in each case^'\ 

The given probabilities are actually correct up to an error term exponentially de- 
creasing in the length of the r-NAF, and that does not influence the following analysis 
significantly. 
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To prove that our method gives an expected 14.29% reduction in group ad- 
ditions over the classical r-and-add method, we model the reading of S in Algo- 
rithm 1 - and the consequent construction of 5*-^^ and - in terms of Markov 
chains. To do this, we describe the algorithm as a sequence of states taken from 
a list It’d, ■ • ■ , 27r}. States So, . . . , Sr occur with respective limiting probabilities 
ao, ■ ■ ■ ,cTr. The states must be subject to the condition that the probability Tr^ 
that the state following Si is Sj depends only on the States Si and Sj and not 
on the way State Si has been reached. If 77 = (7ry)[^_Q then the probabilities 
ao, ■ ■ ■ ,<Jr sum up to 1 and form a vector cr = (cto ... ar) such that cr77 = cr. 

While scanning S in Algorithm 1 we are either attempting to form a maximal 
good /c-block, or skipping zeros between blocks. We define five different states. 

So'. The state in which zeros outside fc-blocks are skipped. Only one zero is 
skipped. All other states describe operations done to build ^-blocks. 

Si'. Entered whenever the first non-zero bit in a /c-block is found. This is the 
one and only state where the first non-zero bit of a new fc-block is read. 
Of course a zero bit follows and is skipped (the same also holds for States 
S2-S4). The following three states describe the scanning of the next bits 
in the /c-block begun by entering State Si. 

S2'. Entered every time we find a non-zero bit which is the negative of the 
previous non-zero bit read. It can only follow States S\ or S2 itself. 

A 3 : This state corresponds to the first non-zero bit having the same sign as the 
previous one. Either this bit is the last non-zero bit in a type II /c-block or 
the second to last in a type III fc-block. 

S4: Entered after S3 if the third in a line of three non-zero bits having the same 
sign is found. This bit is the last bit in a type III fc-block. 

State So is reached if and only if the bit to the left of the bit(s) of the 
previous state is 0. We recall that in all states except Sq the algorithm actually 
processes two bits: a non-zero bit whose relation to the previous non-zero bits 
determines the actual state, and the following zero. 

State Si may follow States A 3 and A 4 directly. This occurs when a /c-block 
follows immediately a maximal good /c-block of type II or III. 

The following state diagram illustrates the flow of the algorithm. The nodes 
correspond to the states and the arrows are labelled with the transition proba- 
bilities, which follow immediately from Lemma 2. 
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Recall that Tr^ denotes the transition probability from state Si to state Sj. 
We have the following probability transition matrix-. 



n = (TTy )ij=0 = 



/1/2 V2 0 0 0 \ 

1/2 0 1/4 V4 0 

1/2 0 1/4 V 4 0 

1/2 1/4 0 0 1/4 

\V2 1/2 0 0 0 / 



Now that n is known, we can easily compute the limiting probabilities 
(jQ, . . . , (T4, which are uniquely determined, and are: cr = 21 12 4 4 1 ). 

Now suppose that, after A state transitions, the algorithm has processed m 
bits of S and output a total of w non-zero bits in and . Since in state Sq 
only one bit of S is scanned and in all other states two, after A state transitions 
the expected number of processed bits ism=A(cro + 2(l — cro)) = A(i-|-2-i) = 
|A. 

Now, good fc-blocks of weight 1 and 2 are left in , whereas good fc-blocks of 
weight at least 3 are cleared from 5*-^^ and appropriate sequences of weight 2 are 
inserted in as described in Algorithm 1 . Suppose the algorithm enters State 
Si. If it immediately goes to State Sq, only one non-zero bit is output. In all 
other cases two non-zero bits are output. Then w = (TiA(1 • ttiq + 2 ■ (1 — ttiq)) = 
iA(i + 2.i) = fA. 

Last, suppose the length of the original t-NAF is to. It has, as already re- 
called, about to/ 3 non-zero digits. However the number of the non-zero digits in 
5(1) u 5(2) is 2 to/ 7. Since the number of additions equals the number of non- 
zero digits, minus one, our method brings a reduction of (^ — |)/| « 14.29% in 
additions with respect to the r-and-add method. 



4.2 Practical Estimates 

We now estimate the actual speed-up for specific curves. As examples, we shall 
consider the Koblitz curves K-163 and K-233 over F2163 and F2233 from the FIPS 
standard issued by NIST [18]. 

Point halving (H), as described in Subsection 2.2, requires two field multi- 
plications (M), the solution of an equation in A of the type A^ -|- A = c (EQ) 
and the extraction of a square root (\^). An elliptic curve addition (A) is done 
by one field inversion (/), two multiplications and one squaring (S). A point 
doubling (D) requires I + 2 M + 2 S. A Frobenius operation (r) and its inverse 
(r“^) require 2 5' and 2\/ respectively. 

With a polynomial basis, according to [4], 5 « for n = 163 and for 

n = 233. Following [3] we assume that, on average, I « 8M when n = 163 and 
/ « 10 M when n = 233. (For a comparison, [10] has I « 9.3 M for n = 191, for 
a software implementation on an embedded processor.) In F2233, a field defined 
by a trinomial, a square root can be computed in « [3, Example 3.12]. 

For F2163 only a generic method is currently known, so takes, 

experimentally « 
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If a normal basis is used, [5], S, \f and EQ have negligible costs. Because of the 
relatively high cost of a multiplication, we may assume J « 3 M . 

Since the length of a r-expansion is « n + a + 3 (see Subsection 2.1), we see 
that the expected cost of the r-and-add algorithm is |(n + a + 2)A+(n + a + 2)r. 
Algorithm 2 requires |(n + a + 2) A + 2(n + a + 2 )t“^ in the two loops; Between 
the two loops there are: H, 1 A, and on average (n + a + 3) — n = a + 3 Frobenius 
operations (t). Algorithm 3 has similar costs in the main loops, with r in place of 
T~^, but, on average, between the loops there is only a doubling and one addition. 
If the Straus-Shamir method is used (with a polynomial basis) right-to-left and 
with a single precomputation, the cost is j{n + a + 2)A + {n + a + 3 )t + H . 

In the following table we write down the costs of different scalar multipli- 
cation algorithms relative to that of one multiplication: the r-and-add method 
based on the r-NAF, our Algorithms 2 and 3 with the gain of the bast of the 
latter two over the r-and-add. In the case of polynomial basis, we also show 
the costs of two methods requiring one precomputation: the one based on the 
Straus-Shamir trick from Subsection 3.2, and the usage of the width-2 r-NAF 
(see [14,15]), which needs only 3P. 



n 


a 


basis 


T-&L-A 


Algo. 2 


Algo. 3 


gain w.r.t. 
T-&-A 


width-2 

T-&-A 


Straus- 

-Shamir 


163 


1 


NB 

poly 


276.7 

605 


244.1 

827 


572.4 


11.8% 

5.5% 


485.2 


528.3 


233 


0 


NB 

poly 


391.7 

1001 


342.7 

946.2 


932.5 


12.5% 

7% 


788.1 


868.4 



The speed-ups are less than the theoretical estimate because of the additional 
overheads. The improvements will approach the theoretical maximum for large 
n. Our estimates are for software implementations. In hardware, where the ratio 
/ /M is higher, the actual improvement will be much closer to the asymptotic 
maximum. But in that case one should also consider the use of projective co- 
ordinates. If one can store one precomputed point, the width-2 r-NAF is faster 
than the Straus-Shamir trick. 



5 Conclusions 

In this paper we considered the problem of computing scalar multiplications on 
Koblitz curves. We combined for the first time the r-adic expansion with point 
halving to give a new recoding of the scalar. By means of this we reduced the 
number of group operations required for a scalar multiplication by an asymptotic 
14.29%. 

For the curves K-163 and K-233 from NIST’s FIPS standard we estimate an 
overall speedup of at least 12% if a normal basis is used. 

The case where the field extension is represented using a normal basis is of 
particular relevance. It gives the highest speed-up, it allows to perform the scalar 
recoding online in the scalar multiplication, hence has no additional memory 
requirements (with respect to the classical r-and-add method), apart from code 



size. 
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Abstract. We propose a scalar multiplication algorithm for elliptic and 
hyperelliptic curve cryptosystems, which uses affine arithmetic and is re- 
sistant against simple power attacks. Also, using a modification of known 
techniques the algorithm can be made immune against differential power 
attacks. The algorithm uses Montgomery’s trick and a precomputed ta- 
ble consisting of multiples of the base point. Consequently, the algorithm 
is useful in a scenario where the base point is fixed, like Elgamal encryp- 
tion or signature generation. Under such circumstances, for hyperelliptic 
curves, the algorithm compares favourably with other known algorithms 
over all fields. For elliptic curves, under similar circumstances, the al- 
gorithm performs better than other algorithms over prime fields. The 
increase in speed is due to a proper application of Montgomery’s trick to 
efficiently perform the simultaneous inversion of several field elements. 
Keywords : elliptic curves, hyperelliptic curves, scalar multipi- 
cation, field inversion, explicit formulae, side-channel attacks. 



1 Introduction 

Elliptic curve cryptosystems (ECC) in recent years are gradually being inducted 
into many standards like ANSI, IEEE, NIST etc. The main advantage of these 
cryptosystems is that the key size is quite small in comparison to other cryp- 
tosystems like RSA, making these suitable for resource constrained devices, like 
smart card. Hyperelliptic curve cryptosystems (HECC) are also attractive, as 
the underlying field size is smaller and there are many more curves to choose 
from. ECC has already established itself as a popular public key cryptosystem. 
However, computational complexity of the HECC has till now come in the way 
of its commercial utilisation. Several research groups around the world have now 
diverted their attention to HECC to reduce its complexity and make it available 
for popular applications. 

Both ECC and HECC are based on the discrete logarithm problem. The 
underlying group in ECC is provided by the set of points on the curve over a 
finite field on which an additive group operation is defined. On the other hand, 
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cryptography using hyperelliptic curves is carried out in the Jacobian of such 
curves. The Jacobian is an additively written group and the elements of the 
Jacobian are called divisors. In this paper, we will use the term point to mean 
both a point on an elliptic curve and a divisor in the Jacobian of a hyperelliptic 
curve. The most important and computationally costly operation in (H)ECC is 
the scalar multiplication. Scalar multiplication is the operation of multiplying a 
point X with a scalar (an integer) m i.e. computing mX. 

The efficiency of scalar multiplication depends to a large extent on the ef- 
ficiency of addition and doubling operation of points. For elliptic curves point 
addition and doubling are relatively simple. Various co-ordinate systems have 
been proposed in the literature to reduce the complexity further. Divisors can 
be added in the Jacobian of hyperelliptic curves by Cantor’s algorithm. However, 
this approach is not very efficient. One approach to improve the efficiency is to 
fix the genus of the curve and compute addition and doubling by explicit formu- 
lae. Such addition and doubling formulae were first described by Spallek [23] and 
have gone through many changes since then (see [6], [16], [24], [18], [19], [20]). 
For genus 2 curves an efficient set of formulae have been described by Lange 
in [12] and [13]. 

In the first paper [12], the author presents algorithms for addition and dou- 
bling, which involve the inversion of a field element along with some squarings 
and multiplications. In [13], algorithms are presented for addition and doubling 
which do not require inversion. Avoiding the inversion leads to some extra squar- 
ings and multiplications. This extra cost in terms of multiplications and squar- 
ings is not always desirable. Particularly in binary fields, where the the ratio 
of cost of inversion to cost of multiplication is not so high (between 3 and 8), 
inversion-free arithmetic is unnecessary. In prime fields, where this ratio is quite 
higher (> 30), inversion-free arithmetic seems to be more appropriate. 

Side-channel attacks (SCA) were first proposed by Paul Kocher in 1996. The 
aim of SCA is to attack a specific implementation by measuring side-channel 
data like timing, power consumption traces, electro-magnetic radiation etc. One 
important class of these attacks, called power analysis attacks, uses the power 
consumption traces of the execution(s) of the implementation. Several measures 
have been proposed to defeat SCA in ECC. 

In the current work, we present a new algorithm for computing the scalar 
multiplication for both elliptic and hyperelliptic curve cryptosystems. Our ap- 
proach uses arithmetic with inversion and performs better than algorithms us- 
ing inversion-free arithmetic in prime fields, where the cost of inversion is much 
higher than in binary fields. Moreover, the proposed algorithm is SCA resistant. 

The efficiency of the algorithm is derived from the fact that, while computing 
the scalar multiplication, instead of scanning one bit at a time, several bits can 
be scanned from different locations in the binary representation of the multiplier 
and the point additions and doublings can be done simultaneously. As each of 
the additions and doublings involve one inversion, all these inversions can be 
computed simultaneously by Montgomery’s trick (see Section 2.2) with only one 
inversion and some extra multiplications. The partial results so obtained are 
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added by another point addition algorithm, TreeADD, which computes addi- 
tion of several points in a tree structure. The partial sums at the nodes of a 
particular level of the tree are computed together and the involved inversions 
are computed simultaneously by Montgomery’s trick. This yields a very efficient 
scalar multiplication algorithm. 

Our algorithm uses a precomputed table. So, it is useful in applications where 
the base point is fixed, like Elgamal encryption and signature generation etc. 
Also, the use of Montgomery’s trick requires storage of several points which 
increases the memory requirement. In Section 5, it can be seen that for HECC 
over prime fields, when the base point is fixed, the algorithm is 77% faster than 
DPA resistant version of Coron’s dummy addition method. Over binary fields 
the speed enhancement is about 28.1%. The performance is lower due to the fact 
that inversion is cheaper over such fields. For ECO over fields of characteristic 
> 3, under similar assumptions, the performance of our algorithm compares 
favourably against all SCA-resistant algorithms. The speed up is around 10% in 
the best scenario (window-size = 5). 

2 Preliminaries 

We first present a brief overview of hyperelliptic curves. For details, readers can 
refer to [10], [15], [11] or [3]. Let K he & field and let K be the algebraic closure 
of K. A hyperelliptic curve C of genus g (> 1) over K is an equation of the 
form C : v'^ + h{u)v = f{u) where h{u) in K[u] is a polynomial of degree at 
most g, f{u) in K[u] is a monic polynomial of degree 2g -\- 1, and there are no 
“singular points”. Elliptic curves are hyperelliptic curves of genus 1. 

A divisor D is an element of the free abelian group generated by all the points 
of the curve C over K. Let V stand for the set of all divisors. The degree of a 
divisor is defined to be the sum of all integer coefficients of the points occuring 
in the divisor. The set of all divisors of degree 0 forms a subgroup of T>. 

The set can be partitioned into equivalence classes of divisors, each of 
which contains and hence is represented by an unique special type of divisor, 
called reduced divisors. Reduced divisors have a beautiful cannonical represen- 
tation by means of two polynomials [a(rt), ^(u)] of small degree over K . This is 
called Mumford’s representation. The reduced divisors can be effectively added 
using Cantor’s algorithm [3]. This group of reduced divisors is called the Jaco- 
bian of the curve C. It is generally denoted by Jc{K). The discrete logarithm 
problem on the Jacobian of hyperelliptic curves of lower genus {g < 4) over suit- 
able finite fileds K, is believed to be hard. This opens the possibility of realising 
different cryptographic primitives over it. 

2.1 Point Arithmetic in (H)ECC 

Let [z] , [m] and [s] denote the amount of time required to compute an inversion, 
a multiplication and a squaring respectively in the underying field. We will use 
the notation i to denote the ratio [z]/[m], which represents the relative cost of an 
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inversion compared to a multiplication. The value of i depends on the choice of 
the underlying field. For binary fields this value has been reported to be between 
3 and 10 and for prime fields it is somewhere between 30 and 40 (see [5]). In 
prime fields the cost of a squaring is known to be somewhat less than the cost 
of a multiplication. For simplicity, in the current work we assume [m] = [s]. 



Elliptic Curve Arithmetic We only consider elliptic curves over prime fields. 
The equation of an elliptic curve over such a field is + ax + b where 

a,b € K and 4a^ + 27b^ yf 0. The cost of addition (ECADD) and doubling 
(ECDBL) algorithms for ECC in affine co-ordinates are l[t] -I- l[m] -I- l[s] and 
l[t] +2[m] + l[s] respectively. 



Hyperelliptic Curve Arithmetic For addition of divisors in the Jacobian 
of hyperlliptic curves, use of explicit formulae has been proved to be the most 
efficient method. Many such formulae have been proposed in the literature by 
various authors. In this work, we will mostly concentrate on hyperlliptic curves 
of genus 2. For these curves Lange has provided a set of efficient formulae for 
addition and doubling in [12], [13]. The formulae proposed in [12] involve inver- 
sions in the underlying field. We will refer to these formulae as affine arithmetic. 
The formulae proposed in [13] do not involve inversions. We will refer to these 
as inversion-free arithmetic. For genus 3 and genus 4 curves affine formulae are 
proposed by Pelzl et al [19], [20]. Our proposed algorithm can also be used for 
curves of genera 2 and 3, which require 1 inversion each for divisor addition 
and doubling. In the current paper we will concentrate on curves of genus 2. 
Table 1 describes the complexity of addition and doubling formulae, proposed 
in [12], [13]. 



Table 1. Complexity of Explicit Formulae described in [12,13] 



Name/Proposed in 


Cost (Add) 


Cost (Double) 


Lange [12] 


l[i] -t 22 [m] -t 3[s] 


l[i] + 22[m] + 5[s] 


Lange [13] 


40 [m] -1- 6[s] 


47[m] -1- 4[s] 



2.2 Computing Inverses Simultaneously 

Our scalar multiplication algorithm derives its efficiency from the fact that inver- 
sions of several field elements can be computed simultaneously by one inversion 
and some extra multiplications. One well known technique for doing this is Mont- 
gomery’s trick [22], [17] which works as follows. Let xi, - ■ ■ ,Xnhe the elements to 
be inverted. The algorithm first computes a\ = X\,a 2 = x\X 2 , • • • , o„ = • • • x„, 

by (n — 1) multiplications. Then it inverts o„. Now, x~^ is computed by mul- 
tiplying by a„_i. Also, a~^i = a~^Xn and x~^i is Similarly, it 
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computes inverse of other elements. It is not difficult to see that the algorithm 
uses only 3(n — 1) multiplications and one inversion. We will denote the cost of 
computing the inverses of n field elements by X{n). Montgomery’s trick shows 
that we can take X(n) = l[z] + 3(n — l)[m]. 

2.3 Side Channel Attacks 

In this subsection we discuss variuos countermeasures proposed in literature to 
resist side-channel attacks on (H)ECC. 

Countermeasures Against SPA The usual binary algorithm for scalar mul- 
tiplication is not secure against side channel attacks. To resist SPA, two ap- 
proaches are generally resorted to in ECC. The first one is to make the compu- 
tation independent of the bit pattern representing the scalar multiplier. Several 
countermeasure against SPA fall in this category. The simplest one is Coron’s 
dummy addition method, i.e. to carry out one dummy addition if the corre- 
sponding bit is 0. Other approaches are based on various addition chains and 
window based methods. Particularly, for ECC, the Montgomery’s ladder along 
with x-coordinate only encapsulated add-and-double algorithm proposed by Izu 
and Takagi and window-based methods proposed by Moller are very efficient and 
secure against SPA. The second approach uses indistinguishable algorithms for 
point addition and doubling. Certain elliptic curves like Hess and Jacobi form 
elliptic curves admit such algorithms. For a detailed treatment of these methods 
reader can refer to [8]. 

There is no result specific to HECC proposed in the literature to immu- 
nize the scalar multiplication algorithm against SPA. However, Coron’s dummy 
addition method can easily be carried over to HECC. 

Countermeasures Against DPA Several remedies have been proposed for 
immunising ECC from DPA. We briefly mention one such method - the Joye- 
Tymen countermeasure [9]. Let z he a, random nonzero field element. The steps 
are as follows. 

1 . Compute , z® . 

2. Transform the base point P{x,y) to (z^x,z^y). 

3. Transform the curve coefficients (a, b) to a' = z^a, b' = z^b. 

4. Compute scalar multiplication with the new point on the new curve. 

5. Transform the result {x, y) back to the original curve using {x, y) 
{xlz^,ylz^). 

The additional cost of obtaining DPA resistance is 4 [to] for Step 1; 2 [to] for Step 
2; 2 [to] for Step 3 and finally l[z] -I- 2 [to] for Step 5. 

Recently, Avanzi [1] has generalised these techniques for HECC. Briefly, we 
describe the curve randomisation countermeasure which we will use in our al- 
gorithm. Let the underlying curve C of the cryptosystem be y^ P h{x)y = f{x) 
where h{x) = h^x^ + h\x + hi^ and f{x) = x^ + fix'^ + f^x^ + f 2 X^ + f\x + Let 
D = [zz(a;), u(x)] be the base divisor in C and let z be a random field element. 
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1. Compute z~^, z~'^, z~^, and 

2. Transform h(x) and f(x) into h(x) and f(x) as follows: 
h(x) = z~^h2X^ + z~^hix + z~^ho and 

f(x) =X^ + Z-^Ux^ + Z-^flX + Z-l°/o. 

3. Transform D to D = \u{x),v{x)], where D is defined as follows : 

If deg(t6) = 2 and u{x) = + u\x + mq and v(x) = vix + vo then 

u(x) = x^ + z~^uix + z~‘^uo and v(x) = z~^vix + z~^vo- 

If deg(u) = I and u(x) = x + uq and v(x) = vq then u{x) = a: + z~‘^uq and 
v{x) = Z~^Vq. 

4. Compute scalar multiplication using the new curve and the new divisor. 

5. The result is transformed back to the original curve using the inverse of 
Step 3 and the relevant powers of z (rather than z~^). 

The additional cost of attaining DPA resistance is as follows: l[t] + 7[m] for 
Step 1; 8 [to] for Step 2; maximum 4 [to] for Step 3 and 8 [to] for Step 5. If the 
characteristic of the field is odd, then the polynomial h{x) can be taken to be 
zero and hence the cost of Step 2 would come down to 5 [to] . 

2.4 Scalar Multiplication Methods for HECC 

Many scalar multiplication algorithms immunized against SCA have been pro- 
posed for ECC. We discuss some specific methods for genus 2 HECC using 
Lange’s formula (see Table 1) along with their costs below. 

(a) The usual add and double algorithm: For an n-bit multiplier such an algo- 
rithm requires n doublings and n/2 additions on the average (though this com- 
putation is not SCA resistant). So cost of computing the scalar multiplication 
using [13] is n X 46[to] -I- (n/2) x 51[m] = 71.5n[m]. Using affine arithmetic [12] 
the cost of n doublings and n/2 additions is n x (l[t] -|- 22 [to] -I- 5 [s]) -I- (n/2) x 
(l[t] -|-22 [to] -|- 3[s]) « ((3/2)1-1-39. 5)n[m]. However, this computation is not SCA 
resistant. 

(b) To make the computation SPA resistant we can resort to Coron’s counter- 
measure for ECC. That is we can make some dummy additions if the correspond- 
ing bit in the binary representation is 0. In this case, we have to compute n addi- 
tions and n doublings. Cost of the computation in inversion-free arithmetic will 
be 51n[TO-] -|-46n[TO] = 97n[TO-]. This computation is costlier than that of (a), but 
is SPA resistant. But, again in binary fields the affine arithmetic will be prefer- 
able. In binary fields, the cost will be n(l[z]-|-22[TO]-|-5[s])-|-n(l[z]-|-22[TO]-|-3[s]) « 
(2i-|-52)n[TO]. It can be made resistant against DPA using the methods described 
above. 

(c) We can encapsulate the addition and doubling formula of affine co-ordinates 
to obtain a more efficient formula. Suppose, we wish to compute an addition 
an doubling simultaneously. In affine co-ordinates, both will involve one in- 
version. Instead of computing two inversions, we can compute them by Mont- 
gomery’s trick with 1 inversion and 3 multiplications. So cost of one addition 
and doubling is l[f] -I- 3 [to] -I- 52 [to] « (i -I- 55) [to]. We can now use this al- 
gorithm in Montgomery’s ladder type scalar multiplication algorithm to com- 
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pute the scalar multiplication. The method involves one doubling at the outset. 
Amount of computations involved in computing the scalar multiplication would 
be ((i + 55)n + i + 27)[m]. Again the computation will be SPA resistant. It can 
also be made resistant against DPA. 

We produce the summary of this discussion in Table 2. In the table we have 
considered two specific values of i, 8 and 30. It is clear from the Table that, (c) is 
better than (b). Although, the average case complexity of (a) is better than (c), 
the former is not SCA resistant. Note that both (b) and (c) can be made DPA 
resistant (at an additional cost) by using Avanzi’s countermeasure as discussed 
in Section 2.3. 



Table 2 . Complexity of different algorithms for HECC. 



ALGORITHM 


i 


COMPLEXITY 


(a) 


30 


71.5n[m] (avg case) 


8 


51.5n[m] 


(b) 


30 


97n[m] 


8 


00 


(c) 


30 


(84n -1- 57) [m] 


8 


(63n -1- 35) [m] 



3 New Algorithm for Scalar Multiplication 

Before describing the proposed algorithm, let us have a close look at the addition 
and doubling algorithms in affine co-ordinates. 

3.1 Addition and Doubling in AfRne Co-ordinates 

Let us consider the addition (HCADD) and doubling (HCDBL) algorithms for 
HECC in [12] in the most general and frequent case. These can be divided into 
three parts. In part one, some multiplications and squarings of the underlying 
field elements are carried out. In part two, a field element, generated in part one 
is inverted. The inverse so obtained in part two is used in part three along with 
some more multiplications and squarings of field elements. The output of part 
three provides the required divisor. See Figure 1. 

Let us name the modules of these algorithms as Ai, A 2 ,Aa (parts of addi- 
tion algorithms) and Di,D 2 ,Da (parts of doubling algorithms). In each of A 2 
and D 2 , we compute only one inverse. Let the number of multiplications and 
squarings required in Ai, A3, Di and D3 be ai, a3, di and CI3 respectively. We 
will use the notation a for ai -|- a3 and d for di -|- d3. By Ai(Di,D2), we will 
mean the field element a created in module Ai of the addition algorithm and 
which is inverted in A 2 . Similarly, by Di(Di), we will mean the field element [3 
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Di 


^2 

One inversion 


One inversion 


"^3 


D3 



(HCADD) (HCDBL) 

Fig. 1. HCADD and HCDBL algorithms proposed in [12] 



created in module Di of the doubling algorithm and which is inverted in module 
Da. By Aa{Di, D 2 ,a~^) (resp. D3(Di , (3 ^)) we mean the divisor produced by 
the module A3 (resp. D3) as sum of Di and D 2 (resp. Di). 

The same can be said about addition and doubling algorithms for ECC in 
affine co-ordinates. In ECC, the values of ai,a3,a etc will be much smaller. 

3.2 The Proposed Algorithm 

Let re > 2 be a positive integer. We express m in the base 2"^. Let m = cq + 
Ci2“' -I- • • • -I- where each Cj G {0, ... ,2^" — 1}. Then mD = cqD + 

c\2'^D -I- • • • -I- For all j,0 < j < t — I we precompute and 

store it in a table T[]. Thus T[j] = 2^^ D for 0 < j < t — 1. This table is used 
to simultaneously compute cqD, ci2^D, • • • , using the right-to-left 

binary method. (A similar algorithm can also be developed using the left-to-right 
binary method.) Finally we add them to obtain mD. 

Let the n-bit representation of m be mn-i ...mg. Note that t = [(n/ic)]. 

We express Cj in binary, i.e., we write Cj = c°-|-c]2-| where c* = 

m^j+i- We require 2t -|- 1 point type variables Rq, . . . , Rt-i and Qo^Qi, - ■ ■ ,Qt- 
The variable Rj is initialized to 2^'^ D. Starting from the least significant bit of 
Ci, we scan a bit in each iteration. If the scanned bit is I, then we add Rj to 
Qj+i\ if the scanned bit is 0, then we add Rj to Qq; in either case we double 
Rj. After w iterations, Qj+i is Cj2'^^D. For 0 < j < t — 1, we compute all 
the expressions Cj2'^^ D simultaneously. Each of the additions and doublings 
in each iteration will involve one inversion. While doing these additions and 
doublings, we carry out all the inversions simultaneously by Montgomery’s trick. 
This yields an efficient algorithm for scalar multiplication. Our algorithm calls a 
routine INVERT, which simultaneously inverts a number of field elements using 
Montgomery’s trick. Recall that by I{n) we denote the cost of inversion of n 
elements using INVERT and I{n) = I[z] -I- 3(n — I)[m]. 
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Algorithm EFF-SCLR-MULT 

Input: m, t, cq, ci, • • • , ct-i,D. 

Output: mD. 

1. For j = 0 to t — 1 {Rj = T[j]; 

2. If c° = 0 then b = 0,tb = j + ^ 
else b = j + l,tb = 0, Qb = Rj; } 

2. For j = 0 to t — 1 let Pj = Dx{Rj); 

3. Let (/3o”\ • • • , PP\) = INVERT(/3o, 

4. For j = 0 to t — 1 let Rj = ’Ds{Rj, P~^); 

5. For i = 1 to w — 2 

6. For j = 0tot-l{aj = Ai{Rj,Qj+i); Pj = Di(i?j);} 

9. Let (og , o^\,Pq , Pt \: ) = INVERT(ao • • • at-i,Po, ■ ■ ■ , Pt-i) 

10. For j = 0 to t - 1 {Q^ (^-+ 1 ) = A 3 {Rj,Qj+i,aJ^); Rj = T>3{Rj, P~^);} 

13. end do. 

14. For j = 0 to t — 1 let aj = Qj+i); 

15. Let (oq • • • , ctp\) = INVERT(ag, • • • , at-i) 

16. For j = 0 to t - 1 let ~pj+i) = ^ 3 {Rj,Qj+i,a~^); 

17. Let RES = TreeADD(Qi, • • • , Qt) 

18. Return (RES) 

Proposition 1. The cost of the above algorithm is [t{w — l)(a + d) + ta][m] + 
{w — l)T{2t) +T{t)+ cost(TreeADD), where cost(TreeADD) is the cost of the 
TreeADD algorithm invoked by the algorithm. 

The algorithm TreeADD adds a number of points efficiently. It uses a tree struc- 
ture for computation. Suppose Do, Di, • • • , Dk-i are the input points. For sim- 
plicity, assume fc = 2’’. Imagine a tree of depth r with the input points at the leaf 
nodes. We pairwise add the points at the nodes with a common parent and put 
the sum at the parent node of each pair. There are 2’’“^ nodes at level r — 1 and 
to get the points at these nodes we have to perform 2'’“^ additions. Note that, 
each of these additions needs one inversion. Instead of computing 2'’“^ inversions 
separately, we can compute them with 1 inversion and (3 x 2’’“^ — 1) multipli- 
cations using Montgomery’s algorithm. This process is carried out at each level 
to the root. The root then contains the sum of all the points. 

Algorithm TreeADD 

Input: Do, ■ ■ ■ , D 2 _i 
Output: Dq Di -f • • • -f D 2 _i 

1. For t = 0 to 2^= - 1 let = Di. 

2. For j = 1 to fc 

3. let {D^o'\d[^\- ■ ■ , J = ADD(D<,'-'^ , ) 

4. Return (Dg^^) 

TreeADD invokes the algorithm ADD, which takes as input 2k points, 
Do,Di, - ■ ■ ,D 2 k-i and returns Dg -|- Di, D 2 -I- Do, - ■ ■ ,D 2 k -2 + D 2 k-i- ADD 
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computes k additions at one invocation. Hence, the inversions at A 2 step of all 
these additions can be done simultaneously using the Montgomery’s algorithm. 

Algorithm ADD 

Input: Do, - ■■ ,D 2 k-i- 

Output: Do + Di, - ■ ■ , D 2 k -2 + D 2 k-i- 

1. For t = 0 to A: — 1, let = Ai(I? 2 i, D 2 i+i). 

2. Let (oq \ • • • , = INVERT(ao, oti,- - ■ , ak-i)- 

3. For i = 0 to A: - 1 let = Aa{D 2 i,D 2 i+i,a~^). 

4. Return {Eq, Ei,- ■ ■ , Ek-i). 

Proposition 2. ADD takes 2’’a[m] +X(2'’) computations to compute the A: = 2’’ 
sums of 2k = 2’’+^ input points. 

With l{n) = l[z] + 3(n — l)[m] (see Subsection 2.2), the cost of ADD becomes, 
((2’'a+3(2'--l)H + l[z]. 

Now we can compute the complexity of the algorithm Tree ADD. TreeADD 
repeatedly calls the algorithm ADD, first with 2'’ points, then with 2'’“^ 
points and so on. Let the cost of ADD with k input points be [A:A]. Then, 
cost of TreeADD with 2'’ points is [2'^ A] + [2’’“^ A] + • • • + [lA]. By Proposi- 
tion 2, [2* A] = 2*“^a[m] -1-1(2*“^). Hence computational cost of TreeADD is 
^[-i[2M] = EI=i +1(2-1) ^ (( 2 r _ l)a[m] + I(2*-')- With 

I(n) = 1[A] + 3{n — l)[m], we have: 

Proposition 3. TreeADD takes {2^ - l)a[m] + E[=i ^(2*) = [(2'' - l)a + 3 x 
2’’ — 3r — 3][m] + r[i] computations to compute the sum of 2’’ input points. 

We now compute the complexity of the algorithm EFF-SCLR-MULT. In the 
Steps 2-4 we double t points, inverting t elements by INVERT. In each iteration 
of the loop in Steps 5-13, we add t points and double t points. So in each iteration 
we invoke INVERT with 2t field elements. In the Steps 14-16 we add t points, 
inverting t elements by INVERT. Finally in Step 17 the TreeADD algorithm is 
invoked. 

Proposition 4. EFF-SCLR-MULT takes (w+r)[z] + [2’’('u;— l)(a+d+6) — 3w+ 
(2’’ — l)a + 3 X 2'’ — 3r — 3] [m] computations to compute the scalar multiplication 
mD where, m is an n-hit integer, w is the window size and t = \n/w'\ = 2’’. 

The algorithm uses a table which must be precomputed. Online computation 
will be very costly. The table will store t points. An elliptic curve point is an 
ordered pair of field elements. Each field element is of 160 bits. So a point occupies 
320 bits of memory. Similarly, a divisor of a hyperelliptic curve of genus 2 is a 
4-tuple of field elements, where each field element is of around 80 bits. So, a 
divisor also occupies almost the same amount of memory. The algorithm needs 
to store t points means, it requires about 320A bits of storage. 

4 Resistance Against SCA 

In this section we discuss the resistance of our algorithm to side-channel attacks 
and the cost involved in achieving such resistance. 
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4.1 Resistance Against SPA 

Algorithm EFF-SCLR-MULT is resistant against simple power attacks, the rea- 
son being the following. At each iteration in steps 2 to 10, we are scanning t 
bits from the binary representation of m and computing some additions and 
doublings. The numbers of additions and doublings are fixed and independent 
of the actual bit pattern scanned. Similarly in steps 12 to 17, the same number 
of additions are being computed irrespective of the actual bits scanned. Hence 
we conclude that the computations are resistant against SPA. 



4.2 Resistance Against DPA 

We discuss a method for making the algorithm resistant against DPA. Recall 
that we use a look-up table T[] of t points. The steps for the counter-measure 
for both FCC and HFCC are as follows. 

1. Choose a random nonzero field element z. 

2. Compute the relevant powers of z. (see Subsection 2.3 

3. Transform the curve parameters. 

4. Transform each of the t points of T[]. 

5. Perform scalar multiplication using Algorithm FFF-SCLR-MULT. 

6. Transform the result back to the original curve. 

The specific transformations are different for ECC and HECC. For ECC we use 
Joye-Tymen transformation while for HECC we use Avanzi’s transformation. 
Accordingly the costs are also different. From the discussion in Section 2.3 we 
get the following costs. 

ECC : l[i] -I- 4[s] -I- (4 -I- 2t)[m] « l[i] -I- (8 -I- 2t)[m] assuming [m] = [s]. 

HECC : l|i] -I- (23 -I- 4t)[m] (l[z] -I- (20 -I- 4t)[m] for odd characteristic). 

5 Results and Comparison 

In this section, we present some results of our algorithm and compare it with 
other algorithms. We do it separately for HECC of genus 2 and ECC. 

5.1 HECC 

We compare the performance of Algorithm EFF-SCLR-MULT to the algorithms 
(a), (b) and (c) described in Section 2.4. Table 3 displays these calculations. In 
Table 3, columns (a)-(c) refer to the algorithms listed in rows (a)-(c) of Table 2. 
Cost of DPA resistance has been added to the cost of (b) and (c). Column (d) 
stands for our algorithm. The column n stands for the bit size of the multiplier m. 
The parameter w stands for the window size. The complexity of the algorithms 
(a)-(c) do not vary with w as they are not window-based. The parameter t stands 
for the size of the look up table and is equal to the number of points required 
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Table 3. HECC: Comparison of the number of multiplications for different val- 
ues of the number of bits n required to represent the scalar multiplier m. 



Parameters 




i = 


= 8 






i = 


30 




n 


w 


t 


(a) 


(b) 


(c) 


(d) 


(a) 


(b) 


(c) 


(d) 


160 


5 


32 


8240 


10896 


10129 


8501 


11440 


15539 


13665 


8743 


160 


10 


16 


8240 


10896 


10129 


8937 


11440 


15539 


13665 


9267 


160 


20 


8 


8240 


10896 


10129 


9190 


11440 


15539 


13665 


9718 


160 


40 


4 


8240 


10896 


10129 


9389 


11440 


15539 


13665 


10335 


160 


80 


2 


8240 


10896 


10129 


9690 


11440 


15539 


13665 


11440 



to be stored. One can easily observe that, for certain window sizes over prime 
fields, the proposed algorithm (d) is better than even average case complexity of 
double- and- add (column (a)), which is not SPA resistant. In the best scenario, 
the new algorithm achieves a speed-up of around 77 percent if i = 30 over 
usual SPA resistant double and always add approach (b). Over binary fields, the 
performance enhancement is lower, only 28.1%, due to the fact that i is lower. 
For other values of i similar comparisons can be made. We have observed that 
as i increases from 30 to 40, the cost of (b) goes up by around 10%, whereas the 
cost of our algorithm goes up by about 1% only. 

5.2 Efficiency for Elliptic Curves 

The algorithm EFF-SCLR-MULT can also be used for ECC over prime fields. 
This is because ECADD and ECDBL algorithms in affine co-ordinates have a 
structure similar to that of Figure 1. For 160 bits scalar multiplier, the amount 
of computation required by the algorithm to compute the scalar multiplication 
is shown in Table 4. To compare the performance of the algorithm with other 



Table 4. ECC: Number of multiplications required by EFF-SCLR-MULT as- 
suming i = 30. 



■ 




m 


Complexity 




5 


32 


2222 [m] 






16 








8 


2693[m] 






4 


3226[m] 



algorithms proposed in the literature we show Table 5 which is taken from [8]. 
It shows efficiency of some other SCA resistant methods. Note that the table 
does not exactly matches with the table presented in [8], as we have not taken 
additions into account and have taken [s] = [m] . Table 5 shows that for efficient 
and secure computation of scalar multiplication. Improved Moller’s method with 
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Table 5. ECC: Number of multiplications required by previous algorithms under 
the assumptions [i] = 30 and [m] = [s] . 



Method 


(160-bit ECC) 


Coron’s dummy addition 

Coron’s dummy addition with a = —3 

Improved Moller with w = 2 

Improved Moller with w — 2 and a = — 3 

Improved Moller with w = 3 

Improved Moller with w = 3 and a = —3 

Improved Izu-Takagi 

Improved Izu-Takagi with a = —3 


3375 [m] 
3057[m] 
3220[m] 
3064 [m] 
2543[m] 
2429[m] 
2758[m] 
2439 [m] 



window size 3 and a = —3 is the best. It takes 2429[m] computations. Our 
algorithm takes 2222 [m] in the best situation, when the window size is 5, nearly 
10% performance enhancement. 



5.3 Memory Requirement 

The parameter t in Table 3 determines the size of the look-up table. It is equal 
to the number of points to be stored in the look-up table. It is natural that the 
efficiency of the algorithm goes up as we invert more and more elements together. 
If a window size of 5 is chosen then the table size will be 32. In hyperelliptic 
curve cryptosystem with reasonable security, a point size is around 320 bits. So, 
the table will occupy around 1.2 kilobyte of memory. 

Additionally Algorithm EFF-SCLR-MULT requires some more intermediate 
points and field elements. The calculation for these is as follows. 

— 2t-|-l intermediate points including one dummy point (Qo) for Coron’s trick. 

— 2t field elements (ooj • ■ • > ctt-i) and (/3o, • ■ • , /3t-i) for applying Mont- 
gomery’s trick. 

This memory requirement might be costly for memory constrained applications 
(as in smart card applications). In such situations our algorithm cannot be used. 
However, we note that in situations where the amount of memory is not a con- 
straint (as in desktops), our algorithm provides a speed-up over the known al- 
gorithms (for fixed base point). 
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Abstract. In this paper we present a fast addition algorithm in the 
Jacobian of a Picard curve over a finite held Fq of characteristic different 
from 3. This algorithm has a nice geometric interpretation, comparable to 
the classic ’’chord and tangent” law for the elliptic curves. Computational 
cost for addition is 144M+12S'Q+2J and 158M+16S'Q+2J for doubling. 



Introduction 

The discrete logarithm problem (DLP) is one of the two main problems on which 
public key cryptography is based (the other one being integer factorisation, in 
RSA cryptosystem): for example, Diffie-Hellman key exchange protocol [3] and 
ElGamal cryptosystem [4] are based on this problem. 

In 1987, Miller [16] and Koblitz [11] suggested (independently) the use of 
the group of points of an elliptic curve over a finite field for DLP. It is now a 
well treated subject, and is even used in some industrial applications. Most of 
today’s research is focused on the natural generalization of this example: DLP 
in the Jacobian of higher genus curves. One advantage is that, given an abstract 
finite group, one can use smaller fields (as Hasse-Weil formula shows). 

In order to produce cryptosystems based on these Jacobian varieties, the 
first thing to worry about is to have secure cryptosystems (see [12] to find secure 
Picard curves). Still, it is very important to compute efficiently in the group, 
and an important part of today’s reseach is devoted to allow fast arithmetic in 
Jacobians of curves. For instance, many papers study the case of hyperelliptic 
curves of genus 2 and 3 ([14, 15, 13, 19]). 

In this article, we find explicit formulae for computing in the Jacobian of a 
Picard curve, basing us on some geometric aspects of these curves. Volcheck [23], 
Huang and lerardi [10] already proposed general methods for computing in the 
Jacobians of arbitrary algebraic curves. These algorithms are not practical from 
a computational point of view though, and in addition they need to extend the 
base field. Hess’ paper [9] is closer to our geometrical point of view, in such as 
it provides an explicit version of Riemann-Roch theorem (see also [8]). 

* This work was supported by the European Community’s Human Potential Pro- 
gramme (G.T.E.M. network) for the first author and by DFG for the second one. 
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1 Preliminaries and Notations 

1.1 Jacobian Varieties of Algebraic Curves 

In this section, we briefly recall fundamental facts on Picard groups and Jaco- 
bians. The letter k stands for an arbitrary perfect held, and k denotes a given 
algebraic closure of k. 

Let C be a complete non-singular curve over k. The divisor group of C is 
the free abelian group Div(C) consisting of formal sums '^p^c(k)‘’^P ' 
which the wp’s are integers, finitely many of them being non-zero. Each divisor 
consists in an obvious way of a positive part and a negative part. It is called 
effective if there is no negative part. 

A divisor is defined over k if it is fixed by the natural Galois action of 
Gal (k\k). The divisor group of C over k, denoted Divfe(C), is the group of 
elements of Div(C) defined over k. 

Given any D = ’^p^c(k) Pnp • P & Div(C), one can define the degree of D, 
denoted deg{D), as ^pTOp. 

Let / be a non-zero element of the function held of C. Then, the divisor of 

/ is 

(/):= ^^pp(/)-P 

Pec(k) 

where vp{f) denotes the valuation of / in the discrete valuation ring k[C]p. 

Any such divisor is called a principal divisor, and two divisors are said to 
be equivalent if they differ from a principal divisor. One can check that any 
principal divisor is indeed a degree zero divisor. Moreover, if / is defined over k, 
then (/) G Divfe(C). 

The divisor class group (or the Picard group), denoted Pic(C), is then the 
quotient of the group Div(C) by the subgroup of principal divisors. We let 
PiCfe(G) be the subgroup of Pic(C') fixed by the natural Galois action of Gal (k\k). 
If we substitute Div(C') by Div°(G), we respectively obtain the degree 0 part of 
the divisor class group of C, denoted Pic*^(G), and its subgroup Pic°(G). 

The most important and striking fact about Pic°(C') is that it admits a kind 
of a ’’reification” (as D. Mumford suggestively presents them), the Jacobian 
variety Jc of C. More precisely, Jc represents a functor attached to the Picard 
group of C (see [17] for a very dense introduction to Jacobian varieties). It is 
automatically an abelian variety, whose dimension is the genus of C . Moreover, 
for each held L such that C has a L-rational point, the group Jc{L) is canonically 
isomorphic to Pic°(C'). 

Suppose the curve C has an affine model over k, with only one point at 
infinity (this is the case for Picard curves). Then, one can see the Jacobian in a 
third way, namely as the ideal class group of the integral closure of k[x] in fc(C') 
(which is a Dedekind ring) associated to this model ([5, p. 6] or [7]). The sum of 
two divisors corresponds to the product of the associated ideals. 
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Of course, it may appear obvious to compute in the Jacobian (or, equivalently, 
in the degree zero Picard group): the sum of two divisors is just the resulting 
formal sum. But it is of considerable importance for cryptographic ends to have 
a unique and concise way to express divisors. This leads to the notion of a 
reduced divisor. Indeed, a consequence of Riemann-Roch theorem is the following 
representation theorem of divisors: 

Theorem 1 (Representation by reduced divisors). LetC be a non-singular 
curve over k of genus g, with a given k-point Poo- Let D be an element of 
Div^{C). Then, there exists an effective divisor E over k of degree m < g, whose 
support does not contain Poo, and such that E — m ■ Poo is equivalent to D (we 
refer to such a divisor as an almost reduced divisorj. 

It is unique if we demand m to be minimal, and it is then called the reduced 
representation of (the divisor class of) D. 

1.2 Picard Curves and Their Jacobians 

In the following k is any field of characteristic different from 3. 

A Picard curve is a genus 3 cyclic trigonal curve. Any Picard curve C admits 
a projective model of the following form 

z-y^ = ■ f 4 {x/z) 

where f^ is a monic degree 4 separable polynomial of one variable over k. It has 
a unique point at infinity, Poo, namely (0:1:0). 

Any Picard curve C appears as a cyclic Galois cover of degree 3 of the pro- 
jective line, with 5 (totally) ramified points (including Poo)- The automorphism 
group of this cover is generated by 

a : {x : y : z) {x : (y : z) 

where C is a non-trivial cubic root of unity. Two points are conjugate if they lie 
on the same geometric fibre of the cover. Each non-ramification point P of C 
has thus two conjugate points, namely and P'^ . 

Note that vp^{x) = —3 and vp^(y) = —4. Let / be a polynomial in k[x,y], 
of degree m, not lying in the ideal of C. According to Bezout theorem (as C is 
irreducible), the intersection multiplicity of / with C at Poo, denoted by ordoo(/), 
is equal to 4m -I- vp^ (/). 

In the following, we will use the so-called ’’Mumford representation” of di- 
visors. This represention arises from the one proposed in [18], page 3.17, for 
reduced divisors of hyperelliptic curves. One may see it as an interpolation theo- 
rem for the points in the support of the divisor. This is harmless for hyperelliptic 
curves, as there can not be any pair of conjugate points in the support of a re- 
duced divisor of a hyperelliptic curve. Unfortunately, this is not true anymore 
for Picard curves, and in fact Mumford representation is only suitable for a pe- 
culiar (but very likely) class of reduced divisors, namely the ones that do not 
have any two conjugate points in their support (they are called typical in [2], a 
terminology that we will keep in this paper). 
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Theorem 2 (Reduced divisors and Mumford representation). An al- 
most reduced divisor is not reduced if and only if its positive part Dq is of degree 
3, and such that there exists a line I with {l)o > Dq. 

Let D he a typical reduced divisor over k. It can then he uniquely represented 
as the intersection divisor of u and y — v, with: 

- u,v G k[x], 

- u monic, 

- deg(t!) < deg(M) < 3, and 

- u\v^ - / 4 . 

Note 1. For any typical reduced divisor D, we will note its Mumford represen- 
tation polynomials by ud and y — vd- In the ideal class group, D corresponds 
to < ud,V - Vd >■ 

Proof. The presented proof differs from the one of [2] . 

First of all, let us treat the case where Dq = P Q is of degree 2. Suppose 
we have P -G Q — 2 ■ Poo = R — Poo + (/) for a / G k{C) . Then, 

P + Q + R^ + -4.-Poo = (/i) 

for a /i G k{C). As vp^{fi) = —4, /i must be a line not passing through Poo- 
This contradicts the fact that it goes through R'^ and R'^ . 

Suppose now that D = Pi -|- P2 -I- P3 — 3 • Poo ■ The divisor D can not be equiv- 
alent to some R — Poo , because this would prove the existence of a polynomial 
/ such that vp^{f) = —5. 

If D is equivalent to some Qi -I- Q2 — 2 • Poo, we have to distinguish two cases, 
namely whether Q\ and Q 2 are conjugate or not. 

If they are not conjugate, then 

Pi + p2 + P3 + Ql + Ql + Q2 + Q2 ~ I" ■ Too = (/) 

with / a conic crossing C once through Poo- It crosses the line (QiPoo) (resp. 
(Q2-foo)) in three points, thus it should contain these two lines. This contradicts 
the previous statement. 

In the remaining case {D equivalent to Qi -I- Qi — 2 • Poo), one has 
Pi 4- P2 + P3 + gf - 4 • Poo = (/) 

This means that there exists a line / such that {f)o > Pi -G P 2 + Ps- 

The second part of the theorem is straightforward. □ 

Remark 1. In the case of a non- typical divisor D = Pi -G P[ -G P2, then one can 
write D as the intersection divisor of m G k[x\ (corresponding to the two lines 
(-Pi Too) and (P2P00)), deg(u) < 2, with an element of the fc-vector space spanned 
by l,x,y,x‘^,y‘^,xy (corresponding to the two lines (P1P2) and (PfP2)). 

The presented algorithm in the next section only works for typical divisors, 
and the result is an almost reduced divisor, which is with very high probability 
a typical one. 
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2 Fast Addition Algorithm for Jacobian of Picard Curves 

2.1 Main Algorithm 

As said in the introduction, the following algorithm is inspired by the ’’chord 
and tangent” law on the group of points of an elliptic curve. In our case, we will 
have to replace the chord or the tangent by a cubic, and we will introduce a 
conic in order to get the opposite of a divisor. Note that for an elliptic curve, or 
even a hyperelliptic curve, the latter operation requires no computation. 

In [ 20 ] , the authors make use of similar geometric constructions to propose a 
reduction algorithm. Instead of using a cubic, they work recursively, reducing a 
degree 4 effective divisor into a degree < 3 effective divisor, with the help of two 
conics. Their algorithm requires to work with rational points (or to perform some 
field extensions). It also requires to make a final factorisation of a polynomial 
in k[x\ of degree at most 3 . As our algorithm is completely explicit (i.e. we only 
perform some elementary operations in the base field k), we will not need any 
of these requirements. 



Geometric Description of the Jacobian Group Addition. In the most 
common case, we have two typical reduced divisors Di := Pi + P2 + P3 — 3 ■ Poo 
and D2 := Q1+Q2 + Q3 — 3 - Poo, and we want to find the reduced divisor 
equivalent to Pi + P2 + P3 + Qi + Q2 + Qs — 6 • Poo- Let us consider the divisor 

D := —{Pi + P2 + P3 + Qi + Q2 + Qs — 9 ■ Poo) 

This is a degree 3 divisor defined over k. Riemann-Roch theorem asserts that 
1{D) - 1{K -D)= deg(P) + l-g=l 

(where K stands for the canonical divisor), so that in any case 1{D) > 1 . 

In particular, there exists a ru in k{C) such that {w) > —D. As the only pole 
of w is Poo, it is a polynomial in k\x,y\. Moreover, as vp^{w) > — 9 , one knows 
that w is an element of the Pvector space spanned by 1 , x, x'^, xy, y, y^, x^. From 
now on, we take w to be the unique such element (up to a multiplicative factor) 
with maximal valuation at Poo- 

If w is a conic, a very unlikely situation, then geometric considerations on 
J(C) allow a very easy computation of the reduction of P>i+D2- Let us illustrate 
this in the case where the support of Di + D2 consists of six points aside from 
Poo that lie on a (unique) conic, not going through Poo- Then the conic crosses 
C in exactly two more points Qi and Q2- Taking the line through those two 
points gives us two new points Ki and K2, such that Ki + K2 — 2 • Poo is the 
reduction of Di + D2 (see Fig. 1 ). 

If w is a cubic, Bezout theorem asserts that the corresponding variety crosses 
C in exactly three more points, say Pi, P2 and P3. One has the obvious relation 

(Pi +P2 + P3 ~ 3 • Poo) + (< 5 i +Q2 + Qs ~ 3 • Poo) = ~(Pi + P2 + P3 ~ 3 • Poo) + (ru) 

so that we have obtained an almost reduced form of the opposite of Di + D2- 
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Fig. 1. Case where w is a conic 



Using Riemann-Roch in the same way as we have just done, one can show that 
there exists a unique conic v going through , R2, R3 and twice in Poo ■ It crosses 
C in three further points Ki, K2, K3, and by construction, Ki + K2 + K3 — 3 -Poo 
is in the class of Z?i + I?2- 

One can roughly sum-up how the algorithm works by Fig. 2. 



Algebraic Interpretation and Formulae. The presented algorithm can be 
naturally divided into three steps: finding w, reduce —{D1+D2), and then taking 
the opposite (with the conic). Now we give an algebraic interpretation of these 
steps. 

First step: computation of the cubic 

This is the only step where one has to distinguish between addition and 
doubling. 

Addition 

First of all, let us treat the most common case, in which w can be expressed 
as 

w = + s ■ y + t 

where s and t are polynomials in x, with deg(s) < 1 and deg(t) < 3. As the 
support of Di (resp. D2) is contained in the support of (w), we are naturally led 
to find three polynomials s, (5i and 62 in x, of degree < 1, such that 

w = (y - vi) ■ {y + vi + s) + ui ■ Si = (y - V2) ■ {y + V2 + s) + U2 ■ 82 

It is easy to see that the leading coefficient of <5i (resp. J2) has to be the square 
of that of v\ (resp. U2). 
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Fig. 2. Description of the algorithm 



It then leads to the unique condition: 

(wi + r)2 + s) • (ui — V2) + U2 ■ 82 — ui ■ 5 x = Q 
In case w has no term, then the same strategy gives the condition 
s • (rii — V2) + 82 ■ U2 — 5 x ■ ui = Q 

where (5i and 82 are constant polynomials. 

Note that these two equations are very similar. In fact, during the computa- 
tion of s and <5i, we consider in both subcases the remainder r of • u\ by U2, 
where is the inverse of v\ — V2 modulo U2- It turns out that if r is of degree 2, 
then we are in the first subcase, if not we are in the second one. 

The only remaining case is a trivial one; namely when the points of the 
support of Di are conjugate of the points of the support of ZI2. 

Doubling 

In that case, we are looking for a w in the ideal =< uf, ui ■ {y — rii), {y — 
>. Here we only treat the main subcase, where w has a y^ part, and hence 
when w can be written in the following manner: 

{y - -ui) • (y -I- vi -I- s) -I- ui • (5i 

(the other subcases are either similar or trivial, and very unlikely anyway). The 
unique condition, obtained in the same way as above, is then 

{y - vi) • (2vi + s) + ui ■ 81 G 
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In other respects, an easy computation shows that: 

3 vj {y - vi) -ui-wi e 

where wi is defined by vf — f4 = u\ • wi. 

This implies that 



Sv^ui • i 5 i + ( 2 t;i + s) • Ml • rui G 

If Ml is prime to ui, that is if the support of D\ does not contain any ramification 
point (different from Poo), then we have 

Mil (3mi • i5i + (2 mi + s) • wi) 

and the computation of the inverse of wi in k[x]/{ui) gives us i 5 i, and then s. 

Remark 2 . If the support of Z?i + 3 • Poo does contain a ramification point, then 
the geometry of the curve allows us to compute the reduction of 2 • Z?i easily. 



Second step: computation of —{Di + D2) 

Here, we only treat the most common case (which is also the most difficult 
one), namely when w has a term, and hence can be written 

w = y"^ + s ■ y + t^ 



with s,t G k[x], deg(s) < 1 and deg(t) < 3 . 

We already know how to characterize the reduced divisor equivalent to — (Z?i + 
D2): it suffices to compute the intersection divisor of the (variety attached to 
the) cubic w with C. 

A way to find is thus to compute the resultant Res(zM, C) of w 

with y^ — /4 (relative to y), to compute the quotient of Res(w, C) by mi • M2, and 
then to normalize. 

To compute one can exploit the relation 



{t - S^) ■ V_^m+D2) = {s-t- / 4 )mod(M_(£,j + C,)) 

so that m_(£|j+£) 2) is the remainder of the quotient of ai ■ {s-t — f 4) by 
where «i is the inverse of t in k[x,y]/ {u-^^^)^+D2))■ 

Third step: computation of D\ + D2 

Obviously, one has vdi+d^ = ^-(r>i+r>2)- Thus, we are reduced to com- 
pute udi+D2- It is easily obtained as the (normalized) euclidean quotient of 
{vd^+d^) - fi by m_(d^+d 2 ). 
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2.2 Explicit Formulae in the Most Common Case 

The given algorithms correspond to the case when w has a term. Note that 
in order to speed up the algorithm, we have used Karatsuba tricks to multiply 
two polynomials. Similarly, we only compute the coefficients we need in the 
algorithm. For instance, as we only need to know the quotient of the resultant 
of w and C hy ui • U 2 , the degree < 5 part of this resultant is irrelevant. The 
reader can find the tables for addition and doubling at the end in the appendix 
of this article. 

3 Remarks and Outlook 

As far as we know, the presented algorithm for computing in the Jacobian of a 
Picard curve is quite efficient. In [2, p. 24], the authors present estimations for the 
cost of various algorithms computing the reduction of a typical divisor of degree 
6 in the Jacobian of a Picard curve. The most efficient algorithm is supposed to 
need roughly 150M and 61. The composition in itself has a computational cost 
of about 50M and 1/. 

The cost for addition in the Jacobian of hyperelliptic curves of genus 3 is 
substantially lower than ours (it is about I + TOM + 6SQ, see [19]). On the 
other hand, for cryptographic purposes, scalar multiplication is the main topic. 
In that respect, our algorithm benefits from the two following remarks, which 
should approximately halve the complexity: one can speed up scalar multipli- 
cation using the fast automorphism a defined p. 57, (see [6]), and rather use 
— 2-adic expansions instead of 2-adic usual expansions (see [1]). 

Our viewpoint was definitely geometric, and we did not separate composi- 
tion from reduction. One may hope that this viewpoint can be generalised to a 
much broader class of curves. This statement is strenghtened by the fact that 
Cantor algorithm and its improvements [14] for computing in the Jacobian of a 
hyperelliptic curve of genus 2 can be interpreted in the very same way as our 
algorithm. Note though that this case is the only one where Cantor’s algorithm 
and ours coincide. 

We have presented formulae for Picard curves. We stress the fact that they 
are immediately adaptable to non-singular curves of genus 3 with a hyperflex. In 
that case, addition requires 160M -|- 17SQ + 21 and a doubling requires 177M -|- 
21SQ + 2I. 
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Table 1. Addition, degui = deg M 2 = 3 



Input 




= ['Ui,i'iJ and D 2 = L'it2,^2j 








Ui ■■ 


= a;® + Ui 2 X^ + Uiix + Uio,Vi = Vi 2 X^ + vux + Vio 








/- 


-- + fzx^ + f 2 X^ + fix + fo 






Output 


D = 


- — Di + D 2 with 








Ud- 


j+£)2 = X -\- diX^ + d. 2 X + dz 










+ Dr, = v'r^X^ +v\x + v'(^ 






Step 


Expression 


Operations 


1 


compute resultant res\ of (vi — V 2 ) and U 2 , and z\ := resi/(r;i 


- V 2 


) mod U 2 


15M+1SQ 






= li2l('C22 — '^12)5 *2 = ^22('f22 — '^12)? *3 = 'ii2o('^22 — '^12); 










tA = 


= 1^22(1^20 — t'lo), *5 = ll2l(l’21 — ^'ll), *6 = (t’22 — ^'12)(*l + 


I’lO - 


1120); 






±7 - 


= {■U21 — l’ll){'U21 — I’ll — *2), *8 = (*4 — *3 — *5)(*2 + I’ll — ' 


1121); 








tg - 


= (■U22 - fl2){*4 - *3 - *5), *10 = (^21 - 1’ll)(t^20 ~ I’lO ~ *l) 


; 








\invQ = te + t?, *11 = -invQ • u.22, *12 = U 2 o{v 2 i — i^ii); 










*13 


= invQ • ti 2 , *14 = *s(*9 — *10), Si = ('U20 — fio — *1) ; 










inv 2 = *8 + si, fi5 = inv 2 {v 20 — r»io); 










invi = til + tg — fio, resi = fi5 — fi3 — ti^; 










L_ 


zi = invgx + invix + inv 2 








2 


compute the cubic w = y sy + t 






52M+1SQ+1I 




*16 


= (tti2 — U 22 )'invQ, ti7 = (liii — ti2i)tm;i; 










*18 


= (uio — U 2 Q)inv 2 , *19 = (^ii2 + ^iii - U 22 — U2i)(*m;o + invi)\ 








*20 


= ('d'12 + uio — U 22 — U 2 Q){invQ + mi;2); 










*21 


= (till + uio — U 21 — U 2 o){invi + mi;2); 










*22 


= 1422 • *16, *23 = U 21 ■ *16, *24 = 1422(*22 + *16 + *17 — *19); 










*25 


= (1121 + H2o)(*19 ~ *22 — *17), *26 = 'a2o(*22 + *16 + *17 ~ * 


19); 








ro ■ 


= *24 + *20 + *17 — *23 ~ *16 ~ *18; 










ri 


= *21 + *23 ~ *17 — *18 — *25 ~ *26, ^2 = *18 + *26, S 2 = 1’i2; 










*27 


= ro • resi, t28 = cq • S2, *29 = cq • *28, *30 = *28 • resi; 










*31 


= — resi • {t;i2 + ^22), *32 = ri ■ S 2 , *33 = '^■22 • *28; 










71 ^ 


= *31 + *33 — *32, *34 = CeSi • 71, t^z = — *27(l’ll + l’2l); 










*36 


= — *27(l'l0 + 'C20), *37 = Ti7i, *38 = V 2 ■ *28, *39 = ^2 • 7l ; 










*40 


= 1421 • *29, *41 = 1120 • *29; 










Ai 


= *35 + *40 — *37 — *38, Ml = *36 + *41 — *39i 










*42 


= — *27 • II12, *43 = — *27 • I’ll; 










*44 


= — *27 • 1110, *45 = (1I12 + l’ll)(*42 + *43 — Ai); 










*46 


= l’ll(*43 ~ -^l), *47 = (1I12 + lllo){*42 + *44 — Ml); 










*48 


= lllo(*44 — Ml), *49 = (i’ll + lllo)(*43 + *44 — Ai — ^1); 










*50 


= *30(1112 + nil), *51 = nil • *30, *52 = *34(ni2 + nio), *53 = 


= nio 


• *34; 






*54 


= (nil + nio)(*30 + *34), -Bo = *34 + *50 + *45 + *30 ~ *5i — 


*46; 








Bi 


= *52 + *30 + *51 + *47 + *46 ~ *53 ~ *48 ; 










B 2 


= *54 + *49 — *51 — *53 ~ *46 ~ *48 ; 










Bz 


= *53 + *48; 










*55 


= Bq ■ t27, ii = (*55) *56 = ii • Bo; 










*57 


= il • *27, *58 = *57 • *27, *59 = *57 • Bi ; 










*60 


= *57 • B2, *61 = *57 • Bz, *62 = *56 ’ -^l, *63 = *56 ’ Mi; 










*64 


= *56 • Bo, *65 = *56 • Bi, *66 = *56 ’ B2 , *67 = *56 ’ B3 ; 












w = y^ + (t62X + tez)y + *6421^ + *652:^ + *6621 + 


*67 






3 


compute res{w, O, y) 






14M+5SQ 




S3 -■ 


- t|9, *68 — *59(6*60 + S3), S4 — *62, -^5 — (*62 + *63)^; 










S 6 -- 


= *63, *69 = *62*64, *70 = *62 (S4 — 3*65); 










*71 


= *63*64, *72 = —3/3*69, *73 = *62(S5 — 3*66 — S4 — S6); 










*74 


= *63(S4 — 3*65), *75 = /3*70, *76 = —3/2*69, *77 = —3/3*71 










s? -■ 


= *58, ^78 = *58S7, *79 = *7s(l — 3*6o); 










*80 


= *7s(*70 + *72 + 2/3 — 3*71); 










*81 


= *7s(*73 + *74 + *75 + *76 + *77 + 2/2 + /|); 








4 


compute u_(£,j+£, 2) 






7M 




*82 


= U12U22, *83 = ni2n21, *84 = nnli22; 










*85 


= (nil + n2i + nio + n2o + *82 + *83 + *84)(1 + *79 + 3*59 — 


- ni2 


— n22); 






*86 


= (nio + n20 + *83 + *84)(*79 + 3*59 — lti2 — n22); 










Cl = 


= *79 + 3*59 — ni2 — n22, *87 = Ci(lti2 + U 22 )\ 










C2 = 


= *80 + 3*60 + 3s3 — Itii — U 21 — *82 — *87, *88 = C2(ni2 + n22)i 








C3 = 


- nil + n21 + *68 + *81 + *82 + *86 + 3*61 — *88 — *85; 












+D,) = + CiX^ + C 2 X + C 3 











66 



Stephane Flon and Roger Oyono 



5 


compute res{t — , x) and precomputations for 


42M+2SQ 


tg9 = C3t64) *90 = Cl*64i *91 = ^2*64? *92 = C2(*65 ~ •§4); 

*93 = Cl (tee + S 4 + S 6 — S 5 ), tg4 = C3(t66 + S 4 + S6 — 55 ); 

*95 = c 2(*67 — se), *96 = C3(te5 — S 4 ), tgj = ci(te7 — se); 
ss = {*89 + 5e — * 67)^1 59 = (tgi + S 5 — tee — S 4 — sg)^; 

*98 — {*94 — *95)(*90 + S 4 — * 65 ); 

*99 = (®8 ~ *9s)(*89 + *92 + -Sg — *67 — *93)i 
*100 = (*96 ~ *97){*90 — *65 + ■§ 4 ); 

*101 = (*9i + 55 — tee — S 4 — se)(*89 + se — * 67 ); 

*102 = (*96 ~ *97){*100 — 2tioi); 

*103 = S 9 {tg 4 — * 95 ), reS 2 = *99 + *102 + *103! 

*104 = {*90 + S4 — *65)(*92 + *89 + Se — *93 — *67); 
jo = *104 — Sg, ti05 = CiJ-'o, *106 = Ci{tioo — * 10 l); 

*107 = C2jfo, *108 = C3{te6 + S4 + 56 — -Ss); 

*109 = (*108 — *95)(*90 + 54 — *65), jl = *105 + *101 — *100; 

72 = *107 + *109 — *106 — -§ 8 , *110 = *62(*65 + * 66 ); 

*111 = *62*66, *112 = *63(*65 + *67), *113 = *63*67; 

*114 = (*62 + *63)(*66 + *67), *115 = Ci(l — teg); 

*116 = Cl {*115 + *71 + *110 — fs — *lll), *117 = C2{1 — *60); 

*118 = (C 2 + C 3){1 + /s + *111 — *69 — *115 ~ *71 — *llo); 

*119 = C 3 {*ii 5 + *71 + *110 — fs — *lll); 

*120 = 7o(*116 + /2 + *113 — *117 — *112 — *lll); 

*121 = {jo + 7l)(*116 + /2 + /l + 2*113 ~ *112 — *114 — *118 ~ *119); 

*122 = 7l(/l + *111 + *113 + *117 — *114 — *118 — * 119 ); 

*123 = (70 + 72)(*116 + /2 + /o + *119 ~ *112 — *117 — *lll); 

*124 = jlifo + *119 — * 113 ); 

*125 = (71 + 72)(/l + /o + *111 + *117 + *119 — *114 — *118 ~ *119); 

*126 = Ci*i20, *127 = C2*120; 

*128 = Cl {*126 + *120 + *122 — *12l), *129 = (C2 + C3){*121 — *126 — *122); 
*130 = C3{*126 + *120 + *122 — *12l); 


6 


compute vd-^+D 2 

*131 = 7*e52{*128 + *123 + *122 — *127 — *120 ~ *124), *2 = (*13l) 
*132 = *2{*128 + *123 + *122 — *127 ~ *120 ~ *124); 

*133 = *132(*128 + *123 + *122 — *127 — *120 ~ *124); 

*134 = *132(*125 + *127 — *122 — *124 — *129 ~ *13o); 

*135 = *132(*124 + * 130 ); 

■^2 = —*133, 't’l = —*134, '1^0 = —* 135 ; 


5M+1I 


7 


compute 

510 = 7*652, *136 = 72510, 5n = * 136 , *137 = *136^11; 
*138 = *136*134, S 12 = *138’ ^139 = *136*135; 

*140 = *138(^'12 + 6 * 139 ), *141 = *137/3; 

*142 = Ci{3*138 — Cl), di = 3*138 — ci; 

(*2 = 3*139 + 3512 + *137 — C2 — *142; 

*143 = Cid2, *144 = C2{3*138 — Ci); 
f*3 = *140 + *141 — C 3 — *143 — * 144 ; 


9M+3SQ 


ItonH 144M, 12S, 21 
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Table 2. Doubling, degwi = 3 



Input 


Di = [ui, i»ij 

Ui = + Ui 2 X^ + UiiX -f WlO) = '^12^'^ 4- V\iX + Vio 

/ ^ + /sx^ + / 2 X^ + fix + fo 


Output 


D = [u 2 Di , 172^1 ] = 2Di with 
U 2 Di = x^ + dix'^ + d 2 X + ds 
^' 2 Di = v'^x"^ v'-^X v'q 


Step 


Expression 


Operations 


1 


compute tPi such that uiwi = ■— f 


11M+2SQ 


Si = l’?2> ^2 = Vii, tl = ~SlVi 2 , t 2 = 
ts = V 12 V 1 Q, t 4 = — 3 vi 2 {ts + S 2 ); 

^5 = ~'i'ii(s 2 + 6 ts), te = tiui 2 , tj = tiuii; 
tg '^■ 12(^2 ~ ^e)) ^9 i^i2(i4 + 1 — t? “ ^s); 

tio = {uii 4- 'uio)(ii + t 2 — te), til = uio{t 2 — te); 


2 


compute resultant resi of wi and ui, and 21 := resi/wi mod u\ 


16M+2SQ 


ti 2 = — liioti, ti3 = ^ 11(^6 “ ^ 2 ); 

tl4 = ^ 12(^7 + tg — ^4 — 1), ti5 = Uio{t7 tg — t4 — 1); 
tie = + ^10 — ^5 ~ /s ~ ^7 ~ ill); 

tl7 = 1112(t9 + tio ~ ts — /s — t7 — ill); 

53 = (il2 + is + /s + i7 + ill — tg ~ tio)^; 

5 4 — (t4 + 1 — 2 ty — tg)^, tig = (t 2 — 2te){ii5 — tie); 

119 = (ii 2 + ii3 + is + /3 + i7 4- in — ig — iio — ii4)(s3 — iis); 

1 20 — (i 2 — 2 te)(— ill — ii7); 

1 2 1 = (i4 + 1 — 2 t 7 — t 8 )(is 4- ii 2 4- i7 + /s + in — tg ~ iio); 

1 22 = (i 20 — 2 t 2 i)(— in — ii 7 ), i23 = (iis — iie)s 4 ; 
resi = tig + t 22 + i23; 

i24 = (i 2 — 2 te)(ii 3 4- ii 2 4- i 7 + in -+■ tg + fg — tg — tio ~ ii 4 ); 

invQ — t24 — S 4 , tgg ~ U 12 ■ invQ-, 
i26 = iii 2 (i 20 — i 2 i), i27 = un ■ invQ\ 

invi tgg 4* i 2 i ~ i 20 ) inv 2 i27 4- iis ~ i26 ” S 3 ; 

zi — invgx^ + im;ix + invg 


3 


compute the cubic w = sy 1 

i 28 = ' 1 ^ 12 't'n, i29 = t'ni'io, S 5 = v^q] 

iso = ^ 12 Sl, tgi = lAllSi, tg 2 = 1il2(i30 ”■ 2 t 2 s); 

tgg = {uii 4- itio)(si + 2t28 — iso); 
is4 = ^lo(i30 — 2 t 2 s); 
iss = (is 2 + 2 ts + S 2 — t 3 i)mi;o; 
is 6 = (2t29 + isi ~ iss ~ t34)tni;i; 
is7 = (ss 4" i34)i^i^2; 

is 8 = (is 2 + S 2 4- 2 t 3 + 2t29 — ias — is 4 )(i 7 iDo + invi)-, 

is9 = (is 2 + is4 4- S 2 + S 5 4" 2te — t3i)(ini;o + inv 2 )‘, 

i40 = (isi 4- S5 4- 2t29 — t33){invi + inv 2 )', 

t 4 i — Ui 2 tgg, t42 = lllliss; 

1 43 = Iil2(i41 4- is 6 4- iss ~ iss); 

144 = (itii 4- nio)(is 8 — i4i — iae); 

1 45 = '“■io(i 4 i 4- ias 4- iss ~ iss); 

^0 = i 43 4- is 9 4- iae ~ i42 — iss ~ is 7 ; 

ri i4o 4- i42 ~ is 6 ~ is7 ~ i44 ’ i4s; 

rg = is7 4- i4S, i46 = resirg, t 47 = rgsi; 
i48 = t47resi, t49 = — 2 resii;i 2 , iso = 3riSi; 

isi = 3 i 47 iii 2 , 71 ~ isi — i 49 — iso); 

is 2 = ^eSi 7 i, is 3 = ~t4QVii, tg4 = —t4QVio; 

iss = ri7i, is 6 = 3 r 2 t 47 , is 7 = P 27 i; 
iss 3 i 47 lAii, is 9 3 i 47 liio; 
ieo = iss^O; iei = isg^o; 

Ai = 3 ( 2 ts 3 4- iss 4- ise — ieo); 

Ml = 3(2ts4 4- is7 — iei)) ie 2 = —3i46i'i2; 

ies = — (t '12 4- i’n)(Ai — is 2 — 3iss); 

ie 4 = — 't'n(-^i ~ 3iss); 

ies = — ('P 12 4- i’io)(mi ~ ie 2 — 3 ts 4 ); 

iee = — t'io(Mi ~ 3 ts 4 ); 

ie 7 = —('Pii 4- i’io)(-^i 4- Ml “ 3iss — 3 ts 4 ); 

ies 3 i 4 s(iii 2 4- nii), ieo 3i48itii; 

i70 = ( 1^12 4- iiio)is 2 ) i?i = '*^iois 2 ; 

i72 = {uii 4- itio)(3i48 4- is 2 ); 

Bq = is 2 4- ies 4- ies 4- 3i48 — ieo ~ ie 4 ; 

Bi = i 7 o 4- ie 9 4- ies 4- ie 4 4- 3 t 4 s — i 7 i — iee; 

B 2 i72 4- ie? — ie 9 ~ i 7 i ~ ie 4 ~ ieei 

Bg = i7i 4- ieei i7s = 3i4eSo, ii = (i7a) 
i74 = ^iBq, t75 = 3t4eii, i7e = 3t4ei7s; 
i77 = i75-Sl, i78 = t7gB2, i79 = t 7 gBg; 

iso = i 74 -^i) isi = i 74 Mi) is 2 = i 74 -So; 
iss = t 74 -Si, t84 = i 74 -S 2 , iss = t 74 Bg; 

w = + {tgQX + t 8 i)y 4- tg 2 X^ + tggx^ 4- tg 4 X + tgg 


58M+1SQ+1I 
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4 compute res{w, C, y) 

sq — tjj, tge — i?7(6t78 + sq), S 7 = tgQ; 

S8 = (^80 + tgl) , S9 = ^81, tS7 = *80^82; 

^88 = ^8o(s? — Stgs), tgg = ^81*82, ^90 = ~ S/gtg?; 

^91 = ^80(S8 — 3t84 — S 7 — Sg), tg2 = t8l(-S7 — Stgg); 

^93 = /s^SS? ^94 = — 3/2t87, ^95 = —3/3^891 ^10 = ^7q] 

^96 = ^76^101 ^97 = ^9e(l ~ 3^87); 

^98 = ^96(*88 + ^90 + 2/a — 3tgg); 

tgg — t96(tgi + ^92 + ^93 + ^94 + tgs + 2/2 + /|); 

5 compute u_2£)j 

Sll — ^100 — ‘U 12 U 11 ] 

^101 = (2tiii + 2uio + 2tioo + Sll)(l + *97 + 3*77 ~ 2^12); 
*102 = (2-u.io + 2tioo)(*97 + 3*77 ~ 2ui2); 

Cl = *97 + 3*77 — 2 ui 2, *103 = 2ui2Ci; 

C2 = *98 + 3*78 + 3se ~ -sii ~ *103 ~ 2uii; 

*104 = 2U12C2; 

C3=2uii+Sii + ti02 + *99 + *86 + 3*79 ~*104 ~*10i; 
u_( 2 D^ ) = a:^ + Cia;^ + C 2 X + C3 

6 compute res{t — u_2Z)^ , a^) and precomputations for V 2 d 
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*105 = C3tg2, *106 = Citg2, *107 = C2*82; 

*108 = C2(*83 — S7), ti09 = Ci(tg4 + S7 + Sg — Sg); 

*110 = C3(tg4 + S7 + Sg — Sg), till = C2(*85 — S9); 

*112 = C3(tg3 — S7), tii3 = Ci(tg5 — Sg); 

512 = (*105 + Sg — *85)^; 

513 = (*107 + Sg — tg4 — S7 — Sg)^; 

*114 = (*106 + S7 — *83)(*110 — *111); 

*115 = (*105 + *108 + Sg — tg5 — *l09)(si2 — *114); 

*116 = (*112 — *113)(*106 + S7 — *83); 

*117 = (*107 + Sg — tg4 — S7 — Sg)(ti05 + Sg — *35); 

*118 = (*112 — *113)(*116 — 2tii7); 

*119 = (*110 — *lll)si3, reS2 = *115 + *118 + *119; 

*120 = (*108 + Sg + *105 — *109 — *85)(*106 — *83 + S7); 

jo = *120 — Si3, *121 = jo ■ ci; 

*122 = Cl (*116 — *117), *123 = jo ■ C2; 

jl = *121 + *117 — *116? j2 = *123 + *114 — *122 — S12; 

*124 = *80(*83 + *84)? *125 = *80*84; 

*126 = *8l(*83 + *85)? *127 = *81*85; 

*128 = (*80 + *8l)(*84 + *85)? *129 = Ci(l — *87); 

*130 = (*129 + *89 + *124 ~ fs ~ *125)ci; 

*131 = C2(l — *87); 

*132 = (C2 + C3)(l + /g + *125 — *87 — *129 ~ *89 ~ *124); 

*133 = C3(*i29 + *89 + *124 ~ fs ~ *125); 

*134 = (*130 + /2 + *127 — *131 ~ *126 ~ *125)io; 

*135 = (io + jl)(*130 + /2 + /l + 2*127 — *126 ~ *128 ~ *132 — *133); 

*136 = ifl + *125 + *127 + *131 ~ *128 ~ *132 — *133)ii; 

*137 = (io + i2)(*130 + *133 + /2 + /o ~ *131 ~ *126 ~ *125); 

*138 = (/o + *133 — *12?)i2; 

*139 = (il + i2)(/l + /o + *125 + *131 — *128 — *132); 

*140 = *134Cl, *141 = C2*134; 

*142 = Cl (*140 + *134 + *136 — *135); 

*143 = (C2 + C3)(*i35 — *140 — *136); 

*144 — C3(*i40 + *134 + *136 — *135); 

7 compute V 2 Di 5M+1I 

*145 = 7*eS2(*142 + *137 + *136 ~ *141 — *134 — *138); 

^2 = (*145) ^ ; 

*146 = *2(*142 + *137 + *136 ~ *141 — *134 — *13s); 

*147 = *146(*142 + *137 + *136 ~ *141 — *134 — *13s); 

*148 = *146(*139 + *141 — *136 ~ *138 ~ *143 ~ *144); 

*149 = *146(*138 + *144); 

t>2 ~ ~*147? 't’l — —*148? ^0 — —*149; 

8 compute U 2 Di 9M+3SQ 

514 — 7*eS2, *150 = i2Sl4, Si5 = *150; 

*151 = *150Sl5? *152 = *150*148? Sig = *152; 

*153 = *150*149? *154 = *152(si6 + 6*153); 

*155 = *151/3? *156 = Ci(3*l52 — Cl); 

di = 3*152 — Cl, d,2 = 3*153 + 3si6 + *151 — C2 — *156; 

*157 = CiC*2, *158 = C2(3*152 — Cl); 

t*3 — *154 + *155 — *157 — C3 — *158; 



total 
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Abstract. We present a new undeniable signature scheme which is 
based on the computation of characters. Our signature scheme offers the 
advantage of having an arbitrarily short signature. Its asymptotic com- 
plexity is attractive: the asymptotic complexity of all algorithms (even 
the key setup) are quadratic in the size of the modulus n in bits when the 
other parameters are fixed. The practical complexity can be quite low 
depending on parameter and variant choices. We present also a proof of 
security of our scheme containing the standard security requirements of 
an undeniable signature. 

Key words: Undeniable Signatures, Residue Characters. 



1 Introduction 

The concept of undeniable signature has been first introduced in 1989 by Chaum 
and van Antwerpen [6]. This kind of signature is similar to a classical digital 
signature except that one has to interact with the signer in order to be convinced 
of the validity of this one. This property offers the advantage of avoiding that 
any entity can verify the validity of a signature. In fact, limiting this universal 
verifiability (as it is in the case of a classical digital signature) is desirable in 
certain circumstances e.g. for privacy reasons. Here, the signer can control how 
the verification spreads in a community. 

To be complete, an undeniable signature should be composed of three main 
components that are the signature generation, the confirmation protocol and the 
denial protocol. The role of the confirmation protocol is to allow the signer to 
prove the validity of a given signature. Conversely, the denial protocol allows a 
signer (prover) to prove the invalidity of a given signature. It is important to keep 
in mind that a failure in the confirmation protocol is not a proof of the invalidity 
of a signature but could be only due to a lack of cooperation from the prover. 
A similar argument holds also for the denial protocol. So, the confirmation resp. 
denial protocol is only used to prove the validity resp. invalidity of a signature. 

Since their introduction, undeniable signatures received a certain attention 
and several papers related to them have been published. We give here a list of 

* Supported in part by a grant of the Swiss National Science Foundation, 200021- 
101453/1. 

F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 69-85, 2004. 

(c) International Association for Cryptologic Research 2004 
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some of them, [3,4,5,8,9,10,15]. It turns out that almost all of the undeniable 
signature schemes are based on the discrete logarithm. In [10], Gennaro et al. 
presented an undeniable signature based on RSA. In this paper, we propose a 
new undeniable signature that is based on another type of problems, namely the 
ability of computing a character on Z* . This corresponds actually to a general- 
ization of the quadratic residuosity problem. In the present work, we focus our 
study on the characters of order 2, 3 and 4. Note that the characters of order 
3 have already been used in some public-key cryptosystems, e.g. [17] as well as 
more general characters, e.g. [18]. 

In section 2, we survey the mathematical theory of the characters on Z*. 
Section 3 is dedicated to the study of some problems related to the security 
of our scheme, in particular for cases of order d = 2,3,4. The new scheme is 
presented in the section 4. Section 5 is devoted to the security of our scheme. 
We provide some proofs of some security properties such as the resistance against 
existential forgery of our scheme or the soundness of the confirmation and denial 
protocol. Section 6 concludes the article. 

2 Characters on Z* 

n 

In this section, we introduce the notion of multiplicative characters. The order 
2, 3 and 4 cases will be exposed in the following subsections. 

Definition 1. Let n be an integer. A character x on Z* is a map from Z* to 
C — {0} satisfying x(a6) = x(a)x(&) for all a,b G 

From this definition, we can quickly deduce that x(l) = 1 that the value 
x(a) is always a (A(n))*'' root of the unity for all a G Z*, where A(n) denotes 
the Carmichael function. We can also define a group structure on the set of 
characters on Z* . In this group, the product (group operation) X 1 X 2 of the two 
characters xi and X 2 represents the map a 1 — > Xi(a)X 2 (a) and the inverse x~^ 
maps each element a to x(a)~^- 

Proposition 2. Let p be a prime and d an integer such that d\p — 1. 

1. The group of characters defined on Z* is a cyclic group of order p — 1. 

2. The characters on Z* of order dividing d form a cyclic subgroup of order d. 

A proof of this proposition can be found at the beginning of the chapter 8 of [12]. 

The second part of this proposition is especially interesting for us because 
we will consider characters of small order (e.g. 2, 3, 4) defined on Z* for n large. 
We notice also that a character of order d maps the elements of Z* to the set 

{Cd|0<J<d— 1} where Cd denotes the unit and i := \/^. 

We provide a way to define certain multiplicative characters on Z* for a n 
being the product of two special primes. Since Z* is not cyclic, using the above 
definition to this case is not suitable. It is more natural for our purposes to 
define such characters in the similar way as the Jacobi symbol is defined from 
the Legendre symbol. First, assume we are given an integer d and two different 
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primes p,q such that d\p — 1 and d\q — 1. From two characters xi %2 of 
order d defined on Z* respectively Z*, we define a character rj of order d in the 
following way r]{a) := Xi(o mod p) ■ X 2 (o mod q). 

For each character x of order d we will sometimes associate a logarithm 
function denoted as log^. For an element a G Z*, we know that x(a) is of the 
form for a j G {0, 1, . . . d — 1}. We define log^(a) equal to this j. 

In the following subsections we present some complements that are specific 
to the cases d = 2,3,4. For more details, we refer to Ireland and Rosen [12]. 

2.1 Characters of Order 2 

Let p be an odd prime number. By Proposition 2, we know that there are only 
two characters of order 2, namely the trivial character e that maps every elements 
to 1 and the Legendre symbol. We recall that the Legendre symbol (a/p) for an 
integer a with (a,p) = 1 is 1 if a is congruent to a square modulo p (quadratic 
residue) and —1 if it is not the case (quadratic non-residue). It turns out that 
there are quadratic residues resp. non quadratic residues in Z*. 

For an odd integer n, the Jacobi symbol (a/n) for an a G Z s.t. (a,n) = 1 
is defined as (a/n) = (a/piY^ ■ {ajp-if"^ ■ ■ ■ {a/pkY where the factorization into 
primes of nis pY ■ ■ - p\ ■ Some additional properties are given below. 

Proposition 3. Let p he an odd prime, a, 6 G Z and an odd n G Z. Then 

1. = (a/p) (modp). 

2. (ab/n) = {a/n){h/n). 

3. If a = b (mod n), then {a/n) = {h/n). 

4- (Quadratic Reciprocity) (a/b){b/a) = (— 1 )(~ 2 -)(- 2 -) fora and b odd. 

5. (2/n) = (-1)^^. 

Let us consider a modulus n = pq. From the above discussion we deduce 
that the complete list of characters of order 2 on Z* is {-/p), (•/'?)> ('/^) 
the trivial character. Note that the properties given in Proposition 3 are used in 
order to compute the Jacobi symbol in a time complexity of C(log(n)^). 

2.2 Characters of Order 3 

Here, we introduce the ring of Eisenstein integers. Indeed, this ring is the natural 
structure to study the characters of order 3 or the cubic residuosity. Most of the 
results below are taken from [12]. 

In what follows, lo will always denote the complex number ■ We define 

the ring of the Eisenstein integers as the set Z[uj] := {a + buj\a, 5 G Z} with the 
classical operations (addition, multiplication) of C. We notice that w is a non 
trivial cubic root of 1 and satisfies J- w J- 1 = 0. 

For an element a G Z[w], we define the norm N{a) = aa, where a denotes 
the complex conjugate of a. This is the classical (squared) norm induced by the 
complex plane. From the definition, we have N{a + boS) = — ab + b^. 
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It can be shown that Z[uj] is a unique factorization domain i.e. every elements 
can be decomposed in a product of irreducible elements uniquely up to a unit 
element. We can also call the irreducible elements the prime elements of Z[w]. To 
avoid some confusion a prime of Z will be called a rational prime if the context is 
not clear. The units are the invertible elements and in this case all have a norm 
equal to one. Hence, the units of Z[w] are ±1, iLoj, All prime numbers of 
Z[w] are classified below. 

Proposition 4. The following statements describe all primes o/Z[w]. 

1. Let p he a rational prime s. t. p = 1 (mod 3). There exists a prime tt s. t. 
N{tt) = tttt = p. 

2. If q is a rational prime s. t. q = 2 (mod 3), then q is also a prime in Z[lo]. 

3. 1 — u) is prime and N{1 — to) = 3. 

The ideal generated by a cr G Z[w] is denoted by (a) and is equal to a ■ Z[lo]. 

Proposition 5. Let tt be a prime in Z[lo]. Then Z[w]/(7r) is a finite field with 
N{tt) elements. 

We can also prove that the set {a+ &w|0 < a,b < q} resp. {0, 1, 2 ... ,p— 1} form 
all representatives of the residue class field in the case where q = 2 (mod 3) resp. 
p = 1 (mod 3). We can also prove that for a prime tt s.t. N{n) yf 3 and a G Z[oj] 
s.t. a ^ 0 (mod tt), we have a 5 = w* (mod tt) for an f G {0, 1, 2}. Here, w* 

is called the cubic residue character of a modulo tt and is denoted as ( 0 / 71)3 or 
as XTr{cr)- If a = 0 (mod tt), we set x,r(Q;) = 0. 

Let a and j3 be in Z[w]. Suppose the prime factorization of (3 is uOfci 
where A^(7Ti) yf 3 for all I < t < fc and m is a unit. Then the Jacobi-like symbol 
(q;//3)3 is defined as Wi^i{oi/TTi)'^ ■ In order to formulate the law of cubic reci- 
procity, we have to introduce the concept of primary. We say that an element a 
of Z[aj] is primary iff a = —1 (mod 3). Note that the term “primary” does not 
only apply to prime number^. Every elements possess exactly one associate that 
is primary. (An associate of an element cr is an element that is of the form ua 
for a unit u.) 

Proposition 6 . Let tt be a prime s.t. N{tt) yf 3 and a, fd, j € Z[uj]. Let a = 
3(A -I- Buj) — 1 be a primary with A,BgZ. 

1. (0/71)3 = 1 iff = a (mod tt) is solvable, i.e., iff a is a cubic residue. 

2. (o/J/ 7)3 = (a/7)3(/3/7)3- 

3. a = [3 (mod 7) ^ (0/7)3 = (/?/7)3- 

4-. (Law of Cubic Reciprocity) If a and (3 are primary. Then {a/ f3)^ = {(3 / a)^. 

5. (u;/a)3 

6. {1 — u) / a)z = . 



^ The analog notion of “primary” in Z is the notion of “negative” nnmber. 
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We are now in the position to define the characters of order 3 on Z* for a rational 
prime p and their extensions on a composite modulus that is a Jacobi-like symbol. 
We consider only the case where p = I (mod 3), since the characters are not 
trivial only in this case. Set p = tttt. Recall first that the field Z[u;]/(7r) can be 
represented by Z* since the set {0, 1 . . .p — 1} contains all representatives and the 
multiplications are equivalent in the two cases. Thus, the cubic residue characters 
Xtt is completely defined on Z*. We directly deduce that xi is another non trivial 
character of order 3 and is even equal to Xtv on the rational integers. Let p, q be 
two different rational primes such that p = q = 1 (mod 3) and tt, a € Z[u;] such 
that N{tt) = p and N{a) = q. Let n = pq, the character on Z* produced by x-k 
and Xo- is denoted by x-tto- and is defined as X 7 ro-(a) = • Xo-(o). The other 

characters are defined exactly in the same multiplicative way. There are 8 non 
trivial characters of order 3 defined on Z*, namely Xtd X<j, Xs, Xttct, Xs-ct) 
X^rg- and x«-g- 

Here, we explain how to find these characters and how they can be computed. 
The first statement consists of finding a prime tt G Z[u;] such that N{tt) = 
p = 1 mod 3 for a rational prime p. We assume here some knowledge on the 
algorithms of Tonelli and Cornacchia (For more details see Cohen [7]). 

For a given p, we have to find an element a+hix> G Z[w] such that a^ — ab+b^ = 
p. This is equivalent to (a — |)^ -I- ^ = p. By introducing the two new variables 
s = a — ^ and t = |, we obtain -I- 3t^ = p for s, t G Z. Now, it suffices to apply 
the algorithm of Cornacchia to solve this equation in s and t. This algorithm 
consists of finding an a: G Z such that = —3 (mod p) (apply algorithm of 
Tonelli) and then applying the Euclid algorithm to x and p until we get the first 
rest term r„ such that < p. A solution is given by setting s = r„. 

Suppose we have a character Xa where a can be for example ttct or -kg. The 
computation of a residue character ((j/q ;)3 can be done using a similar technique 
to the computation of the Jacobi symbol in the context of quadratic residuosity. 
Indeed, this consists of reducing cr mod a by an Euclidean division in Z[uj] and 
then applying the cubic reciprocity law to exchange the two elements of the 
character. This last step can be done only after having extracted some units 
in order that a and cr become primary. Then by iterating this operation, we 
reduce the size of the elements involved in the cubic residue character until this 
one becomes trivial. Note that the asymptotic complexity of the computation 
is 0(log(n)^) using standard arithmetic and 0(log(n)^ loglog(n) logloglog(n)) 
using fast arithmetic. This is almost the same order of magnitude as the classical 
Jacobi symbol that is 0(log(n)^) (See Cohen [7] p. 31). For more details about 
this algorithm and its complexity we refer to Scheidler [17]. 



2.3 Characters of Order 4 

Studying the characters of order 4 consists principally of the theory of bi- 
quadratic residuosity. This one is quite similar to that of cubic residuosity and 
is done in the ring of Gaussian integers Z[z]. A rational prime p of the form 
p = 1 (mod 4) is the norm of a prime tt in Z[tj. The field Z[t]/(7r) has the set 




74 



Jean Monnerat and Serge Vaudenay 



of representatives {0, 1 . . .p — 1} and is identical to Zp. The biquadratic residue 
character of an a G Z[i] is defined as Xir(c«) •= where j € {0, 1, 2, 3} and such 
that = P (mod tt). Moreover, this character generates the two other 

nontrivial characters of order 4. Note also that the square of Xn- is equal to the 
quadratic residue character Xp- We can also define a Jacobi-like symbol in this 
context similarly to that in the theory of characters of order 3. Moreover, there 
is also a law of reciprocity in a similarly way as before. 

2.4 Characters of Higher Orders 

It is possible to extend our character constructions to some orders greater than 
4. By introducing a power residue symbol defined on the integers of a cyclotomic 
field. A general treatment of these cases would be beyond the scope of this paper. 
Moreover, the computation seems to be more difficult to deal with and the ring 
of these integers becomes a non unique factorization domain when the order is 
large. Since such a ring is not a principal ideal domain, we should work with 
ideals that are generated by more than one element. However, we do not loose 
the existence of the reciprocity laws, namely there exists a so called Rummer’s 
reciprocity law (see [14]). 

3 On the Hardness of Related Problems 

Here we expose some different computational problems that will be related with 
the security of our scheme. In particular, we focus this treatment to the case of 
characters of order d € {2, 3,4}. 

For two problems P and P', we use the Karp reduction, i.e. we say that P 
is at most as hard as P' if the problem P can be solved in a polynomial time 
by using one access to an oracle Op/ that can solve P'. We will denote this as 
P < P'. Moreover, this is also equivalent to say that P' is at least as hard as P. 
We say also that two problems P and P' are equivalent if P < P' and P' < P 
are satisfied. We denote this property as P = P'. 

Let 0 be a dth primitive root of 1 in C, where d is typically equal to 2,3,4. 
Below we expose the different problems. 

FACT. For a given n G Z, find the factorization of n in Z. 

CYCLOFACT'^. Let a be an element of Z[0\. Find the factorization of cr. 
ROOT(— 3). Let n G Z be such that —3 is a quadratic residue modulo n. Given 
n, find an u G Z such that v? = —3 (mod n). 

ROOT(— 1). Let n G Z be such that —1 is a quadratic residue modulo n. Given 
n, find an u G Z such that = —1 (mod n). 

FERMAT‘S. Let n G Z be such that n = tttt for a tt G Z[9]. Given n, find tt. 
CHARACTER‘S. Let n G Z. Devise an algorithm which given a: G Z* computes 
x(x) where x is a hard character of order d on Z* . 

MOVA^s. Let n G Z, s be a positive integer and x a hard character of order d 
on Z*. Given s pairs (ai,x(o;i)), where ai G Z* for all 1 < f < s and a; G Z* 
compute xi^)- 
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Remark. By “hard character” we mean a nontrivial character and for d = 2 we 
also exclude the Jacobi symbol {-/n). 

Lemma 7. FACT = CYCLOFACT^ and FERMAT‘S < CYCLOFACT^ 
for d = 2,3,4. FERMAT^ = ROOT(-3) and FERMAT^ = ROOT(-l). 

The proof is given in the appendix A. See also Landrock [13] for another cryp- 
tographic application of Fermat numbers (i.e. FERMAT^ and ROOT(— 1)). 

CHARACTER‘S plays an important role in the security of our signature. In- 
deed, the ability of signing will be related to the computation of hard characters 
when n cannot be factorized. Notice that this is a generalization of the quadratic 
residuosity problem on which the security of the probabilistic Goldwasser-Micali 
encryption is based [11]. In practice, we will consider a modulus of the form 
n = pq. For d = 2, such characters are simply the Legendre symbols modulo p 
and q. For d = 3, we can use the non trivial characters. For example, XTra- is a 
case where the security is related to FERMAT^ since N{'ko) = n. Indeed, an 
enemy that knows a square root of —3 modulo n would be able to retrieve this 
character by Lemma 7. Thus, FERMAT^ > CHARACTER^ and similarly 
FERMAT^ > CHARACTER'^. Note also that MOVA'^ < CYCLOFACT^' 
but MOVA^' < CHARACTER‘S in some cases only, because the character de- 
vising in CHARACTER'S may be independent from the character required for 
MOYA'S. 

4 Description of the MOVA Scheme 

We present here the components of our undeniable signature scheme called 
“MOVA” 2. 

Public Parameters. Let s, t, k, I be some positive integers whose size de- 
pend on the required security level of the scheme. We let Q denote a primitive 
dth root of 1 in C, where d G {2, 3,4}. 

Primitives. We assume the existence of two pseudorandom generators 
Gi : {0, 1}* — > and Gi : {0, 1}* — > We also assume the exis- 
tence of a commitment scheme denoted as COMMIT ■. {< x OPENj,) 

and CHECK(a;, <x>, OPEN,^). 

Setup. The signer generates an n and a hard character y of order d on Z* . 
Then he takes a string Id G {0,1}* and computes Gi{Id) = (ai,...,ag). 
Finally, he computes the logarithm of the character residues of the afs. We 
set Sa ■= (ei, . . . , 6s) an element of {0, 1 ... d — 1}^ where Cj = log^(ai) for 
all 1 < i < s. If the efs do not span or Cj = (— ) for all 1 < i < s in the 
d = 2 case then restart with another Id.^ For d = 3 or 4 we can either start 
by generating prime numbers p and q, take n = pq, get tt such that tttt = n 

2 “MOVA” is related to the names of the authors of the present paper. 

® As discussed in Subsection 5.6 an authority could be involved in this scheme in order 
to tolerate low s parameter. 
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and set x = {■/'^)d, or directly generate n = tttt from a random tt € Z[0]. 
The latter is performed with smaller complexity but the factorization of n 
is unknown. 

Public Key. Kp = (n,Id, T'q,). 

Secret Key. Ks = x- 

Signature generation. Let m € {0, 1}* be a message to sign. The signer 
generates G 2 (m) = (/3i, . . . ,/Jt). Then the signer computes Ci = log^(/3i). 
The signature of m is U, where U is defined as 

^ := (ci, C 2 , . . . , ct). 

Confirmation Protocol. We denote here the prover as P and the verifier 
as V. The signer is given (m, U) that is also public. Here is the sketch of the 
protocol. 

Repeat k times : 

1. V picks some values m, 02 , . . . a^, 6 i, . . . G {0,1... d— 1} and a 7 G Z* 
randomly. Set 6 := 7 *^ • n:=i< -nl f3^ mod n. V then sends 6 to P. 

2. P computes r = log^(<5) and sends r to V. 

3. V checks if r = J2i=i + Si=i d. If this equality does not 

hold, V rejects the signature. 

For some security reasons, this protocol must include a commitment function. 
Indeed, we notice that somebody could use this protocol several times in order to 
sign a message of his choice. This can be easily done by sending the /3i’s instead 
of S to the prover. A way to prevent against a such attack is to use a commitment 
function as mentioned in Gennaro and al. [10]. In our confirmation protocol, the 
modification works in the following way. After having computed r in Step 2., P 
runs COMMIT(r) and sends < r > to P and then V sends 7 , oi, . . . a^, 61 , . . . 
to P. The prover checks that 5 = ■ rifci«“ -nLi mod n really holds. 

Finally, P sends r, OPEN^ to the verifier that can then effect Step 3 and do 
CHECK(r, < r >, OPEN^). 

P V 

S1...S 

<r> 

a ’s, 6 ’s, 'Y 's 

r,OPEN 



Fig. 1. Confirmation Protocol with commitment 



Note that the confirmation protocol can be completely parallelized (see Fig- 
ure 1). V sends Si, .. .Sk defined as Si = xf ■ 0^=1 ' Y^j=i where 

the ttij’s, bij’s and 7 i’s are picked at random. This protocol continues similarly 
with r := (ri, . . . ,rfc) as the prover will commit. Finally, after V has sent the 
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aij's, bij's and the 7i’s to P, this one opens the commitment of the values rds. 
Note that V can generate the a^’s, bij’s and the 7i’s in a pseudorandom way 
and send the seed of the pseudorandom generator. This method can considerably 
decrease the communication complexity. 

Denial Protocol. Here, the verifier V is given a message m G {0, 1}* and 
an alleged non-signature S where S = (ci, . . . , ct). The protocol works as 
follows. 

Repeat £ times: 

1. The prover picks a matrix A = (aij) G at random and a ma- 
trix B = (bij) G of rank t. He then computes qi := + 

Z)j=i and n := + for all 1 < z < t. Set 

Q = (gi) and i? = (r*). P computes (5i := 7f-n^^i mod n. 

He finally runs COMMIT(7, A, B), COMMIT(i?) and sends < j,A,B >, 
< R> and the values Si’s, Q to V. 

2. V picks a challenge u G {0, 1} at random and sends u to P. 

3. If zz = 0, he sends 7, A, P, to V . li u = 1, he sends 

R, OPEN^j to y. 

4. If zz = 0, y does CHECK(7, A, B, < j,A,B >, OPEN(..y^^^B)) and checks 

that Si = 'yf ■ rij=i ' ]lj=i Pj n for all I < z < t, 

Qi = + Si=i all 1 < z < t. If zz = 1, y does 

CHECK(P, < R >,OPEN/j) and checks that Q R. Be then checks 
that Ti = log^((5i) for all I < z < t by interacting with P in a confirma- 
tion protocol on the “signature” P of <5. 

5 Security Analysis 

Here we analyze the security of our proposed scheme. We do not recall here every 
security properties suitable for an undeniable signature and refer to [8] and [10]. 

5.1 Validity of the Public Key 

We say that a public key is valid if 

1. the set {ci . . . eg} spans Z^, 

2. when d = 2 there exists at least one j s.t. ej ^ (— ), 

3. the set {ai . . . Og} spans Z* / (Z* 

If these conditions are fulfilled, we can prove that there exists at most one char- 
acter X such that x(ai) = for 1 < z < s and that this character is a hard one 
of order d. Note that the third condition is the only one which cannot be checked 
by y. This will be probabilistically satisfied depending on s. The first two are 
already avoided in the Setup of the scheme. Assuming that G\ behaves like a 
random oracle, an analysis of the probability shows that the third condition is 
not checked with probability j ^ for d = 2 and j ^ for d = 3. For d = 4, 
this probability has magnitude O(^). See Appendix B for more details on this 
computation. So, for d = 3 and s = 52 this probability is approximately 2“®°. 
Thus invalid keys cannot be forged in practice. 
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5.2 Signature Forgery and Impersonation 

In this subsection we show that our signature scheme is resistant to an existential 
forgery attack and that nobody else than the prover can confirm or deny a given 
signature. 

Let first consider an attacker .4i living in the model of security of an unde- 
niable signature. In a such model, Ai is supposed to have access to an oracle 
able to sign some queried messages, to a second oracle playing the role of the 
prover in the confirmation protocol and to an oracle able to play the role of the 
prover in the denial protocol. In fact, by looking at the confirmation protocol 
and denial protocol and assuming that G2 is a random oracle, we can see that 
Ai does not learn more information in this model than having a random source 
S generating some pairs (fj,, log^(/i)) € Z*x Z^. Hence, this attacker reduces to a 
new attacker A2 having S to his disposal. Assuming now that the a^’s generate 
Z* / an attacker picking some random values 7 G Z* , a^’s in {0, 1 ... d— 1} 
and then computing 7 • Hi=i is also able to simulate the source S. Thus, 
A2 can be replaced by an attacker A3 that possesses only the public key. We 
conclude by saying that any attacker of our scheme will be then considered as 
As- Finally, notice that A3 is exactly in the situation that corresponds to the 
assumption of the problem MOVA'^ (see section 3.) . 

To prepare these security proofs we first need the following results. 

Theorem 8. Let (p : G — > Z^ he a group homomorphism. If one can compute 
a f such that Pra,gG(/(a;) yf with a constant ^ < 1, then one can 

compute ip in a number of calls to f hounded by a polynomial in logoff G). 

We have postponed the proof of this theorem to the appendix C. 

Assuming that ai . . .as span Z* /(Z* and using Theorem 8, we show that 
an entity that is able to confirm or deny a given signature must be able to 
compute the character, i.e. he possesses the secret key. Indeed, in these two 
protocols, it is requested to the Prover to evaluate the logarithm of the character 
on different values (e.g. 6). Passing these tests corresponds to the ability of the 
computation of log^. More precisely, in the confirmation protocol we can see the 
Prover as a function that takes on input the value S depending of the afs and 
bi’s and computes log^(d). We can see this process in one function that is defined 
on the Abelian group Z* and whose values lie in Z^. We see that we can directly 
apply our above general results to this function, since it satisfies the properties 
of the function ip of Theorem 8. Thus, an entity that can evaluate this function 
with a small error probability is able to compute the character y by Theorem 8. 

Corollary 9 (Privacy of Confirmation). Let S he a valid signature associ- 
ated to a valid public key Kp. //MOVA'^ is hard, then no fake prover can pass 
the confirmation but with a probability bounded by (1 — for any ■C < 1- 

This corollary protects a user against an impersonation during the confirmation 
protocol. So, an enemy is not able to confirm a message signed by a given person 
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without knowing his secret key. The case of the denial protocol is more subtle 
because the number of characters the prover has really to compute is not fixed. 
In fact, when m = 1 he has a huge probability to pass the test by answering at 
random. It can happen with probability 2“^, that the prover does not need to 
compute any character at all. In anyway, he will have to distinguish between 
u = 0 or u = 1 in order to pass the test. Thus the probability of success of the 
enemy is in anyway less than 2“^ since the prover cannot know the value u. 

After this discussion and having exposed Theorem 8, we can obviously say 
that our scheme is resistant against existential forgery. 

Corollary 10 (Hardness of existential forgery). Assuming that MOVA'^ 
is hard and that G 2 is a random oracle, then no attacker can forge a valid 
signature for a message m but with a probability bounded by (1 — for any 
f<l. 

5.3 The Confirmation Protocol 

We provide below some properties on the security of the confirmation protocol. 
From now on, Sign(m, Ap, P) denotes the signature of the message m of the 
user P possessing the public key Kp. 

Proposition 11 (Confirmation protocol). 

Completeness. Let E = Sign{m,Kp,P) be a valid signature. If P and V 
follow the Confirmation Protocol, then V always accepts the validity of the 
signature E. 

Soundness. Let E yf Sign{m, Kp, P) be an invalid signature with respect to 
Kp. Then a cheating Prover P can confirm the signature E with a probability 
not better than —, where p is the smallest prime factor of d. 
Zero-Knowledge. The confirmation protocol is zero-knowledge. 

Proof (Sketch). The completeness is obvious by looking at the protocol. 

For the proof of the soundness, we investigate what the behavior of the 
cheater P should be in order to bypass the confirmation protocol. For sake of 
simplicity, assume also that the signature E differs to Sign(m, Ap, P) at only 
one component. W.l.o.g. assume that c\ yf log^(/3i), where the term /?i is the 
first term of C^fm). Passing one round of the confirmation protocol is equivalent 
to be able to find the value v := + X)i=i mod d knowing the efs, 

log^(/3j)’s and log^(<5). Since — log^(<5) = &i(ci — log^(/3i)), we deduce that the 
cheater passes the test iff he can find the value bi . This is not possible because 
the value S can be generated in several different ways, i.e. for several different 
7 e Z* , afs and bfs. Thus, the d different distributions of the S corresponding to 
the d different fixed values 61 are indistinguishable when d is prime. Otherwise, 
the assertion remains true when we replace d by p in the worst case. Therefore, 
he cannot do better than supposing the correct p in a set of at least p elements. 

Zero-knowledge: A honest verifier can easily simulate the transcript of the 
protocol. Since a dishonest verifier has a negligible probability to pass the pro- 
tocol, our confirmation protocol is therefore zero-knowledge. □ 
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5.4 The Denial Protocol 

Proposition 12 (Denial protocol). 

Completeness. Let S ^ Sign{m, Kp, P) be an invalid signature. If P and 
V follow the Confirmation Protoeol, then V always concludes the invalidity 
of the signature S. 

Soundness. Let S = Sign{m,Kp,P) he a valid signature with respect to 
Kp. Then a cheating Prover P can deny the signature S with a probability 
not greater than 

Zero -Know ledge. The denial protocol is zero-knowledge. 



Proof (Sketch). Completeness: It is obvious by examining the denial protocol. 

Soundness: First, notice that a cheating prover can easily pass the denial 
protocol if he would be able to find when u = 0 or m = 1. Conversely, if he has 
not this ability, he cannot pass the denial protocol with a probability greater 
than ^ if we assume that the soundness of confirmation protocol is perfect. 

Zero-knowledge: For u = 0 a verifier can trivially simulate the transcript of 
the protocol (assuming that < R > can be simulated). For m = 1 he can pick 
some Oij’s and ji’s at random then set qi := 5i := yf • 0^=1 ■ 

He can pick R ^ Q &t random then simulate the protocol. One can easily prove 
that the generated ((5, Q, R) have the same distribution as in the protocol. He 
then needs to simulate the confirmation protocol. □ 

5.5 Complexity 

The complexity of the signature generation is the computation of t characters. 
For the confirmation protocol, the verifier needs about k-{s-\-t)-{d—l)/d multi- 
plications in Z* assuming that the values of, j3f, of, (if mod n are precomputed. 
In the same protocol, the prover has to perform k character computations. The 
denial protocol requires about £ • t • {s 1) • {s — 1) / s modular multiplications 
and k ■ £(2 character computations to the prover. The verifier has to compute 
l/2-{£t-\-k) ■ (si-t) ■ {d— l)/d modular multiplications^. Note that character com- 
putation is asymptotically comparable to multiplication in terms of complexity 
i.e. 0((logn)^). 

The setup protocol requires the computation of s characters as well as finding 
the hard character. This step can be realized in two different ways. The first one 
requires the generation of two primes p,q with a complexity of 0((log n)^). The 
second way (for d = 3,4 only) requires 0((logn)^) since we have to pick a large 
7T G Z[6*] and compute n = tttt. 



^ Note that, it is possible to adapt the protocol of [10] in order to reduce the complexity 
of the denial protocol. 
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5.6 Key Setup Variants 

Here, we discuss some variants of the setup allowing to reduce the size of s. As 
we have seen, in the first variant the signer selects his own key without any help. 
The consequence is that s has to be large to ensure the security. 

In the second variant, we propose that the signer selects his own key online 
with the participation of a certificate authority. This allows to reduce the value 
of s since the signer is limited with the number of attempts. Note also that the 
complexity of this key setup is similar to the first variant, i.e. the complexity 
can be quadratic with d = 3,4 and the second way for generating n as discussed 
in the previous section. 

The last variant allows to have a s even lower but requires a greater com- 
plexity of the key setup since the signer needs to know the factorization of the 
modulus n. Here, the signer generates the key itself and proves its validity to 
the certificate authority or to the verifier. Below, we describe the protocol in 
which the prover (signer) convinces a verifier (authority) that the ai’s generate 

KKKY- 

Repeat m times: 

1. The prover picks i5i G Z* at random and runs COMMIT(i5i). He sends 
< i5i > to the verifier. 

2. The verifier picks 62 G Z* at random and sends 62 to the prover. 

3. The prover computes some coefficients 7 G Z*, oi, . . . , 0 ^ G {0, . . .d — 1} 
that satisfy S1S2 = 7 *^ • 11^=1 cCj (mod n). He sends di, OPEN^^, oi, . . . Ug 
to the verifier. 

4. The verifier runs CHECK((5i, < >,OPENiJ and checks if <5i G Z* and if 

the equality 6162 = ■ 0^=1 (mod n) holds. 

It can be shown that this protocol is complete, sound and zero-knowledge. 

5.7 Parameters Choice 

Note that our bounds are not tight and that we believe that can be replaced 
by 1 — ^ everywhere®. Hence, the probability of an impersonation is similar to 
that of soundness. Since an attacker cannot check the validity or invalidity of a 
signature offline, the minimal size of the suitable parameters should correspond 
to a probability of 2“^®. The signature can therefore have a length of 20 bits, 
i.e. t = 20 /(log 2 (d)). The same probability for the soundness of the confirmation 
resp. denial protocol, implies that k = 20 /(log 2 (p)) resp. £ = 20. If the public 
key is generated offline (first variant of setup), we have to consider a probability 
of 2“®°. Hence, the value of s is 80 for d = 2,4 and 80/(log2(3)) for d = 3. 
Finally, the size of n should be as in RSA, i.e. 1024 bits. For d = 3 we get the 
following size: s = 52, t = 13, fc = 13 and £ = 20. If the ai’s are generated online 
(second variant of setup) which registering the public key to an authority, we 

® At the time we are wrapping up this paper, we can prove that we can replace C/I2 
by C/2. 
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can reduce s to s = 13. If failure cases are strongly controlled by the authority 
we can even afford a security level of and have s = 6. If we can further 
prove that the ads span Z*/(Z*)‘^ to authority (third variant of setup) we can 
shorten s drastically to s = 2 using certificates. 

For academic purposes, we can propose d = 2, s = 2, t = 1, k = 20, £ = 20 
(i.e. a signature of only one bit !). An enemy is able to forge a signature with 
a probability of 1/2 but he would not be able to confirm it. However, the true 
signer could not deny it. 

6 Conclusion 

We proposed a new undeniable signature and prove its security. Since the sig- 
nature does not have to be an element of the size of a modulus, our scheme 
offers the advantage to sign with short signatures. Moreover, we can see that the 
complexity of the signature generation, the confirmation and denial protocol is 
quadratic in the size of n since the most costly operation is a character compu- 
tation. Furthermore, some key setup variants allow to get quadratic complexity. 
Another nice property of our protocol is the possibility to confirm several sig- 
natures at the same time. For this batch verification, we only need to consider 
these signatures as a big one. 

As a further research, we will extend our scheme to characters of higher order. 
It would be also worth studying if our scheme can be modified in order to offer 
some additional advanced properties such as the convertibility or the delegation. 
In our scheme, we already have a kind of delegation when d = 3 or 4. Indeed, the 
ability to sign, confirm an deny can be delegated by releasing one hard character 
(i.e. some tt G Z[d]) to the proxy while the original signer can keep the complete 
list of characters (i.e. the factorization of n). This property holds for d yf 2 since 
disclosing one tt does not fully disclose the complete factorization of n. In the 
context of undeniable signature the delegation should not give the possibility for 
the proxy to sign but only to confirm or deny. 
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A Proofs of Some Equivalence Problems 

FACT and CYCLOFACT. The case d = 2 is trivial. The cases d = 3 and 
d = 4 are similar. We concentrate on d = 3 here. 

FACT < CYCLOFACT^: Suppose we are given an oracle Ccyclofact^ that 
solves the problem CYCLOFACT^. We compute the factorization of a n G Z 
by calling Ccyclofact^* the input n. We then obtain a decomposition of 
the form n = u • {1 — ■ 7ri7T2 . . . tta, ■ q \ ■ Q2 ■ . - qi - By choosing the tt^-’s that 

have the same norm and by combining them with u we get some terms of the 
form TTjTTj = pj, where the pj’s are rational prime integers. Doing the same 
with (1 — provides the term 3L After this process, only rational primes will 
remain in this decomposition, i.e. the factorization of n in Z. 

CYCLOFACT^ < FACT: Here, we have access to the oracle Ofact and we 
have to factorize a <t G Z[w]. To this end, we compute n = ad and call the 
oracle Ofact on n to obtain the factorization n = Y [ Pi - Since the rational 
prime numbers pi congruent to 2 modulo 3 are also prime in Z[oj], it suffices to 
find the nontrivial primes tt^ of the form TTiTfj = 1 (mod 3). To this purpose, we 
apply the algorithm of subsection 2.2 to the rational primes pfs congruent to 
1 modulo 3. Hence, we obtain the decomposition pi = WiTTi of those primes. It 
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remains to decide which one of tt^ or 7fi divides a. This can be decided by an 
Euclidean division. Thus, all the non trivial prime divisors of cr are found and 
therefore its factorization. 

FERMAT and ROOT. We can show that FERMAT^ is equivalent to solve 
the equation n = s^ + 3t^. Then, we can easily see that a solution of this equation 
gives a square root of —3 modulo n if (t,n) = 1, namely s ■ . The converse 

assertion follows by the fact that a solution s, t is obtained by finding the shortest 
vector of the lattice {(s,t) G I?\s = tu (mod n)}. This can be done by a lattice 
reduction in dimension two using the reduction algorithm of Gauss (see [16]). 
Moreover, this algorithm has a polynomially complexity. □ 



B Probability of Generating 

We consider here a modulus of the form n = pq, where p and q are two rational 
primes s.t. p = q = 1 mod d. We study here the probability for s elements 
ai .. .as G Z* picked at random to generate Observe that this group 

is isomorphic to Z*/(Zp‘^ x Z*/(Zp'^ by Chinese Remainder Theorem. Finally, 
this is also isomorphic to Z^ 0 Z^. Thus, it suffices to compute the probability 
that s elements of Z^ 0 Z^ generate the whole group. 

Case d = 2. First we observe that Z| has 3 non trivial subgroups, namely 
Gi := {(1, 0), (0, 0)}, G2 := {(0, 1), (0, 0)}, G3 := {(1, 1), (0, 0)}. The only 
possibility of elements to not generate the whole group is to stay always in exactly 
one of the above subgroup, i.e. to pick always the same nonzero elements and/or 
the zero elements. This probability is then Pr2 = ^ + 

The first term corresponds to the probability that all elements are equal to zero 
and the second corresponds that these elements lie in one of the three subgroup 
without being all equal to zero. 

Case d = 3. This works similarly. The probability is ^ 04 (d — = d — A, 

Case d = 4. Here, an exact computation would be more complicated, but the 
existence of subgroups of order 8 implies that the dominant term in the proba- 
bility will be of magnitude (^)® = 2“^. An example of subgroup of order 8 is 
< (1, 2), (2, 2) >= {(0, 0), (1, 2), (2, 0), (3, 2), (2, 2), (3, 0), (0, 2), (1, 0)}. 



C Proof of Theorem 8 

We first have the following theorem. Its proof is freely inspired from [1,2]. 

Theorem 13. Let G he a finite Abelian group and d\{^G). Let x\, . . .Xr G G, 
j/i, . . . j/r G Zd and f :G — >Zd- If 



Pr 

ai...a 

xGG 



f id- x + '^Ot- xA ='^ai-yi\ = 1 - e > i 



then there exists a morphism ip : G — > Z^ such that p{xi) = jji for all 1 < i < r 
and Pra,gG(/(a;) = ip{x)) = 1- e. 
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Proof. Let H := {(&i . . .br) G s.t. J2l=i h ■ Xi G d ■ G}. Let s' be such that 
\> s' > e > 0 and let A be the set of all (oi . . . Or) in ZJJ/iL such that 



Pr lf(d ■ X + y^(ai + b^) ■ Xi) = (ui + bi) ■ yi] > I - e'}. 
xeG »=i »=i 



We have 
1 — £ = 



(ai 



^ + i:(». + ‘.) ■ «) = E(«. + *.) ■ ».i) 

xeG 









ffiija’’ 



From this, we deduce that s' — s < s' ■ and thus 

Let (tti . . . Or) be in A. We have 



E Pr [f{d ■ X + ^ai ■ Xi) - ^ai ■ x^ = Y^b^ ■ yi] > 1 - e'. 

\ b^ H j 

\ 2=1 2=1 2=1 / 

Hence, there exists a, x G G such that PibsH[cste = X)i=i h ■ Vi] > ^ — £' > 
Therefore, for all 6 G iL there holds X)i=i h ■ yi = 0. Finally, we can define 
such that (p{d ■ x + ' Vi- 



Lemma 14. Assume we are able to compute f s. t. Pr^^cifix) yf ‘fix)) < s. 
Then we can compute a function g such that Pr^^Gidix) yf p{x)) < 12e^ with 
at most 6 calls to f. 

Proof. For an a: G G, we compute the function g at x as follows: 

1. Pick yi, y 2 , yz G G. 

2. Compute f{x + yi), f{yi) for i = 1, 2, 3. 

3. If f{x + yi) — f{yi) = f{x + y^) — f{y 2 ), let this be g{x). Otherwise, we set 
that g{x) = f{x + 7 / 3 ) - f{yz). 

Set Px := Piy^^cifiy) piy) or f{x + y) p(x + y)). By definition, we have 
Px < 2£. We obtain Pr((/(a;) yf ^(x)) < 2Pf{l — P^) + Pf < 12£^. □ 



Proof (Theorem 8). By iterating n times, we get Pr(/(a:) yf p{x)) < • 

(12£)2 < jE . ^2 . Forn > loga ( ) we have Pr^eGifix) yf ip{x)) < 
Hence, this probability is equal to zero and the complexity is multiplied by a 
factor that is in the class poly(log(#G)). □ 



□ -G 
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Abstract. Universal Designated- Verifier Signature (UDVS) schemes are 
digital signature schemes with additional functionality which allows any 
holder of a signature to designate the signature to any desired designated- 
verifier such that the designated- verifier can verify that the message was 
signed by the signer, but is unable to convince anyone else of this fact. 
Since UDVS schemes reduce to standard signatures when no verifier des- 
ignation is performed, it is natural to ask how to extend the classical 
Schnorr or RSA signature schemes into UDVS schemes, so that the ex- 
isting key generation and signing implementation infrastructure for these 
schemes can be used without modification. We show how this can be ef- 
ficiently achieved, and provide proofs of security for our schemes in the 
random oracle model. 



1 Introduction 

Universal Designated- Verifier Signature (UDVS) schemes introduced by Stein- 
feld et al [16] are digital signature schemes with additional functionality which 
allows any holder of a signature to designate the signature to any desired 
designated-verifier such that the designated-verifier can verify that the mes- 
sage was signed by the signer, but is unable to convince anyone else of this fact, 
because the verifier’s secret key allows him to forge the designated-verifier sig- 
natures without the signer’s cooperation. Such signature schemes protect the 
privacy of signature holders from dissemination of signatures by verifiers, and 
have applications in certification systems [16]. 

The previous work [16] has shown how to construct efficient deterministic 
UDVS schemes from Bilinear group-pairs. However, since UDVS schemes reduce 
to standard signatures when no verifier designation is performed, it is natural to 
ask how to extend the classical Schnorr [14] or RSA [12] signature schemes into 
UDVS schemes, so that the existing key generation and signing implementation 
infrastructure for these schemes can be used without modification — the UDVS 
functionality can be added to such implementations as an optional feature. In 
this paper we show how this can be efficiently achieved, and provide concrete 
proofs of security for our schemes in the random oracle model [2] . 



F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 86-100, 2004. 
(c) International Association for Cryptologic Research 2004 
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As shown in [16], any secure efficient construction of an unconditionally- 
private UDVS scheme with unique signatures (e.g. fully deterministic UDVS 
schemes with unique secret keys) gives rise to a secure efficient ID-Based Encryp- 
tion (IBE) scheme. Constructing secure and efficient IBE schemes from classical 
Diffie-Hellman or RSA problems is a long-standing open problem [3] , and until 
this problem is solved we also cannot hope to construct unconditionally-private 
UDVS schemes with unique signatures based on classical problems. However, 
the results in this paper show that by giving up the unique signature require- 
ment and allowing randomization in either the signing (in the case of Schnorr 
signatures) or designation (in the case of RSA) algorithms, one can construct 
efficient UDVS schemes from classical problems. Although the UDVS schemes 
presented in this paper do not have unique signatures, they still achieve perfect 
unconditional privacy in the sense of [16]. 

Due to space limitation, the proofs of all theorems in the paper are omitted. 
They are included in the full version of this paper [17]. 

1.1 Related Work 

As pointed out in [16], the concept of UDVS schemes can be viewed as an appli- 
cation of the general idea of designated-verifier proofs, introduced by Jakobsson, 
Sako and Impagliazzo [8] , where a prover non-interactively designates a proof of 
a statement to a verifier, in such a way that the verifier can simulate the proof 
by himself with his secret key and thus cannot transfer the proof to convince 
anyone else about the truth of the statement, yet the verifier himself is convinced 
by the proof. The distinctive feature of UDVS schemes is universal designation: 
anyone who obtains a signature can designate it. 

Two of our proposed UDVS schemes (namely SchUDVS2 and RSAUDVS) 
make use of the paradigm in [8] of using a trapdoor commitment in a non- 
interactive proof of knowledge to achieve verifier designation. Since the under- 
lying construction techniques used in these schemes is known, we view our main 
contribution here is in providing a concrete security analysis which bounds the 
insecurity of these schemes in terms of the underlying primitives. Our third pro- 
posed scheme SchUDVSi shows an alternative and more efficient approach than 
the paradigm of [8], for extending the Schnorr signature scheme into a UDVS 
scheme, using the Diffie-Hellman function. It is an analogoue of the the bilinear- 
based approach for constructing UDVS schemes proposed in [16]. 

Besides providing UDVS schemes based on classical problems, another con- 
tribution of this paper is in defining a stronger unforgeability notion for UDVS 
schemes, which allows the forger access to the attacked designated verifier’s veri- 
fication oracle, as well as to the signer’s signing oracle (whereas the model in [16] 
only allows access to the signing oracle) . We analyse our schemes in this stronger 
model. 

Further related work to UDVS schemes is discussed in [16]. 
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2 Preliminaries 

2.1 Algorithms and Probability Notation 

We say that a function / : IN ^ IR is a negligible function if, for any c > 0, there 
exists ko G JN such that f{k) < l/k^^ for all k > fco- We say that a probability 
function p : IN — > IR is overwhelming if the function g : IN — > IR defined by 
q{k) = 1 —p{k) is a negligible function. For various algorithms discussed, we will 
define a sequence of integers to measure the resources of these algorithms (e.g. 
running-time plus program length, number of oracle queries to various oracles). 
All these resource parameters can in general be functions of a security parameter 
k of the scheme. We say that an algorithm A with resource parameters RP = 
(ri,...,r„) is efficient if each resource parameter ri{k) of A is bounded by a 
polynomial function of the security parameter k, i.e. there exists a fco > 0 and 
c > 0 such that ri(fc) < fc^ for all k > ko. 

2.2 Discrete-Log and DifRe-Hellman Problems 

Our schemes use the following known hard problems for their security. For all 
these problems GC denotes an algorithm that on input a security parameter fc, 
returns an instance {Da,g) of a multiplicative group G of prime order q with 
generator g (the description string Dq determines the group and contains the 
group order q). 

1 Discrete-Log Problem (DL) [4]: Given {Dc,g) = GC(fc) and j/i = g^^ for 
uniformly random xi G 2*, compute x\. We say that DL is hard if the 
success probability Succ;^ □!_(/(:) of any efficient DL algorithm A with run- 
time f(fc) is upper-bounded by a negligible function InSecQ|_(f) of fc. 

2 Computational Diffie-Hellman Problem (CDH) [4]: Given {Da,g) = GC{k), 
Ui = 9^^ and p 2 = g^^ for uniformly random xi,X 2 G 2*, compute 

ritfsf 

CDHg(g“b We say that CDH is hard if the success proba- 
bility Succ,^ (-Qi^(fc) of any efficient CDH algorithm A with run-time t{k) is 
upper-bounded by a negligible function InSeC(;Qn(t) in fc. 

3 Strong Diffie-Hellman Problem (SDH) [1, 10]: Given (Da,g) = GC(fc), 
yi = 9^^ and p 2 = 9^^ for uniformly random xi,X 2 G 2*, compute 
gXiX 2 gjygjj access to a restricted Decision Diffie-Hellman (DDH) oracle 
DDHa;j(.,.), which on input {w,K) G G x G, returns 1 if AT = and 
0 else. We say that SDH is hard if the success probability Succ,^ 5 QH(fc) 
of any efficient SDH algorithm A with run-time t(fc) and which makes up 
to q{k) queries to DDH^j^ (.,.), is upper-bounded by a negligible function 

InSecsDH(G9) in k. 

We remark that the Strong Diffie-Hellman problem (SDH) as defined above 
and in [1] is a potentially harder variant of the Gap Diffie-Hellman (CDH) prob- 
lem as defined in [10]. The difference between the two problems is in the DDH 
oracle: In the CDH problem the DDH oracle accepts four inputs (A, Zi, Z 2 , A) 
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from the attacker and decides whether K = Q.DHh{zi,Z2), whereas in the SDH 
problem the attacker can only control the (22, K) inputs to the DDH oracle and 
the other two are fixed to the values h = g and zi = yi (we call this weaker 
oracle a restricted DDH oracle). 

2.3 Trapdoor Hash Functions 

Some of our proposed UDVS schemes make use of a general cryptographic scheme 
called a trapdoor hash function. We recall the definition and security notions for 
such schemes [15]. A trapdoor hash function scheme consists of three efficient 
algorithms: a key generation algorithm GKF, a hash function evaluation algo- 
rithm F, and a collision solver algorithm CSF. On input a security parameter 
k, the (randomized) key-gen. algorithm GKF(fc) outputs a secret/public-key pair 
(sk,pk). On input a public-key pk, message m € M and random r € R (Here 
M and R are the message and randomness spaces, respectively), the hash func- 
tion evaluation algorithm outputs a hash string h = Fpk (m; r) G H (here FI 
is the hash string space). On input a key-pair (sk,pk), a message/randomizer 
pair (mi,ri) G M x R and a second message m2 G M, the collision solver 
algorithm outputs a second randomizer r2 = GSF((sfc,p/c), (mi, ri), m2) G R 
such that (mi,ri) and (m2,r2) constitute a collision for Fpk, i.e. Fpk{mi;ri) = 
Fpk{m 2 \r 2 ). 

There are two desirable security properties for a trapdoor hash function 
scheme TH = (GKF,F, GSF). The scheme TH is called collision-resistant if the 
success probability Succ^^h of any efficient attacker A in the following game 
is negligible. A key-pair (sk,pk) = GKF(/c) is generated, and A is given k and 
the public-key pk. A can run for time t and succeeds if it outputs a collision 
(mi,ri) and (m2,r2) for Fpk satisfying Fpk{mi,ri) = Fpk{m2,r2) and mi yf m2. 
We denote by InSecj^ (t) the maximal success probability in above game over 
all attackers A with run-time plus program length at most t. The scheme TH 
is called perfectly-trapdoor if it has the following property: for each key-pair 
(sk,pk) = GKF(/c) and message pair {mi, m2) G M x M, if ri is chosen uni- 

def 

formly at random from R, then V2 = GSF((s/c,pfc), (mi, ri), m2) G R has a 
uniform probability distribution on R. 

3 Universal Designated-Verifier Signature (UDVS) 
Schemes 

We review the definition of UDVS schemes and their security notions [16]. For 
unforgeability we also introduce a stronger notion of security than used in [16]. 

A Universal Designated Verifier Signature (UDVS) scheme DVS consists of 
seven algorithms and a ‘Verifier Key-Registration Protocol’ Pkr. All these algo- 
rithms may be randomized. 

1. Common Parameter Generation GG — on input a security parameter 
k, outputs a string consisting of common scheme parameters cp (publicly 
shared by all users). 
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2. Signer Key Generation GKS — on input a common parameter string cp, 
outputs a secret/public key-pair (sfci,pfci) for signer. 

3. Verifier Key Generation GKV — on input a common parameter string 
cp, outputs a secret/public key-pair {skz,pkz) for verifier. 

4. Signing S — on input signing secret key sfci, message m, outputs signer’s 
publicly-verifiable (PV) signature a. 

5. Public Verification V — on input signer’s public key pk\ and message/PV- 
signature pair {m,a), outputs verification decision d G {Acc,Rej}. 

6. Designation GDV — on input a signer’s public key pk\, a verifier’s pub- 
lic key pks and a message/PV-signature pair {m,a), outputs a designated- 
verifier (DV) signature a. 

7. Designated Verification VDV — on input a signer’s public key pk\, veri- 
fier’s secret key sk^, and message/DV-signature pair (m,a), outputs verifi- 
cation decision d G {Acc,Rej}. 

8. Verifier Key-Registration Pkr = (KRA, VER) — a protocol between a 
‘Key Registration Authority’ (KRA) and a ‘Verifier’ (VER) who wishes to 
register a verifier’s public key. On common input cp, the algorithms KRA 
and VER interact by sending messages alternately from one to another. At 
the end of the protocol, KRA outputs a pair {pk^, Auth), where pk^ is a ver- 
ifier’s public-key, and Auth G {Acc, Rej} is a key-registration authorization 
decision. We write P/yfl(KRA, VER) = {pk^,Auth) to denote this protocol’s 
output. 

Verifier Key-Reg. Protocol. The purpose of the ‘Verifier Key-Registration’ proto- 
col is to force the verifier to ‘know’ the secret-key corresponding to his public-key, 
in order to enforce the non-transferability privacy property. In this paper we as- 
sume, following [16], the direct key reg. protocol, in which the verifier simply 
reveals his secret/public key to the KRA, who authorizes the public- key only if 
the provided secret-key matches the public key. 



3.1 Unforgeability 

In the case of a UDVS scheme there are actually two types of unforgeability 
properties to consider. The first property, called called ‘PV-Unforgeability’, is 
just the usual existential unforgeability notion under chosen-message attack [6] 
for the standard PV signature scheme D = (GG, GKS, S, V) induced by the UDVS 
scheme (this prevents attacks to fool the designator). The second property, called 
‘DV-Unforgeability’, requires that it is difficult for an attacker to forge a DV- 
signature a* by the signer on a ‘new’ message m* , such that the pair (m* ,a*) 
passes the DV-verification test with respect to a given designated- verifier’s public 
key pks (this prevents attacks to fool the designated verifier, possibly mounted 
by a dishonest designator). As pointed out in [16], it is sufficient to prove the DV 
unforgeability of a UDVS scheme, since the ‘DV-unforgeability’ property implies 
the ‘PV-unforgeability’ property. 

In this paper we introduce a stronger version of DV-unforgeability than used 
in [16], which we call ST-DV-UF. This model allows the forger also access to 
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the verification oracle of the designated-verifier (this oracle may help the forger 
because it uses the designated-verifier’s secret key, which in turn can be used to 
forge DV signatures, as required by the privacy property). Note that the model 
in [16] does not provide this oracle. We believe it is desirable for UDVS schemes 
to be secure even under such attacks, and place no restrictions on the attacker in 
accessing the verifier’s oracle — in particular the attacker can control both the 
message/DV sig. pair as well as the signer’s public key in accessing this oracle. We 
remark (proof omitted) that the strong DV-unforgeability of the UDVS scheme 
in [16] follows (in the random-oracle model) from the hardness of a gap version 
of the Bilinear Diffie-Hellman (BDH) problem, in which the attacker has access 
to a BDH decision oracle (whereas just hardness of BDH suffices for this scheme 
to achieve the weaker DV-unforgeability notion in [16]). 

Definition! (Strong DV-Unforgeability). Let DVS = (GC, GKS, GKV, S, 

V, GDV, VDV, Pkr) be a UDVS scheme. Let A denote a forger attacking the un- 
forgeability of DVS. The Strong DV-Un forgeability notion ST-UF-DV for this 
scheme is defined as follows: 

1. Attacker Input: Signer and Verifier’s public-keys {pki,pk^) (where 
(ski,pki) = GKS(cp), (sksjpks) = GKV(cp) and cp = GC{k)). 

2. Attacker Resources: Run-time plus program-length at most t, Oracle 
access to signer’s signing oracle S(sfci,.) (qg queries), oracle access to 
designated-verifier’s verification oracle VDV(., s/ca, ., .) (q^ queries) and, if 
scheme DVS makes use of n random oracles RO\,...,ROn, allow quo 
queries to the ith oracle ROi for i = 1, . . . , n. We write attacker’s Resource 
Parameters (RPs) as RP = (t, qs,qv, qnOi , • ■ • , qno )• 

3. Attacker Goal: Output a forgery message/DV-signature pair (jn*,a*) such 
that: 

(1) The forgery is valid, i.e. \/LN{pki,skz,rn* ,a*) = Acc. 

(2) Message m* is ‘new’, i.e. has not been queried by attacker to S. 

4-. Security Notion Definition: Scheme is said to be unforgeable in 
the sense of ST-UF-DV if, for any efficient attacker A, the probability 
Succ|"'Q(/ 5 ^“^^(fc) that A succeeds in achieving above goal is a negligi- 
ble function of k. We quantify the insecurity of DVS in the sense of 
ST-UF-DV against arbitrary attackers with resource parameters RP = 
{t, qs,qv, qROi , • ■ • , qRO ) by the probability 



InSeCovs qs,qv,qROi,- ■ ■ , qRO 



def 

= max 
agas 



Succ 



ST-UF-DV 
A, DVS 



(k), 



where the set AS^p contains all attackers with resource parameters RP. 



3.2 Non-transferability Privacy 

Informally, the purpose of the privacy property for a UDVS scheme is to prevent 
a designated-verifier from using the DV signature adv on a message m to produce 
evidence which convinces a third-party that the message m was signed by the 
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signer. The privacy is achieved because the designated-verifier can forge DV 
signatures using his secret-key, so even if the designated-verifier reveals his secret 
key to the third-party, the third-party cannot distinguish whether a DV signature 
was produced by the designator or forged by the designated-verifier. 

We review the privacy model from [16]. The attacker is modelled as a pair 
of interacting algorithms (Ai, A 2 ) representing the designated-verifier (DV) and 
Third-Party (TP), respectively. Let Ai denote a forgery strategy. The goal of 
A 2 is to distinguish whether it is interacting with Ai who has access to desig- 
nated signatures (game yes) or with Ai, who doesn’t have access to designated 
signatures (game no). More precisely, the game yes runs in two stages as follows. 

Stage 1. (Ai,A 2 ) are run on input pki, where (ski,pki) = GKS(cp) and 
cp = GC{k). In this stage, Ai has access to: (1) signing oracle S{ski, .), (2) KRA 
key-reg. oracle to register verifier public keys pk via Prr interactions, (3) A 2 
oracle for querying a message to A 2 and receiving a response. At end of stage 1, 
Ai outputs a message m* not queried to S during the game (m* is given to A 2 ). 
Let cr* = S{ski,m*). 

Stage 2. Ai continues to make S,KRA and A 2 queries as in stage 1, but also 
has access to a designation oracle C DV(p/ci, ., m*, cr*) which it can query with 
any verifier public- key pk which was answered Acc by a previous KRA key-reg. 
query. At end of stage 2, A 2 outputs a decision d G {yes, no}. 

The game no is defined in the same way except that (1) Ai is replaced by Ai, 
(2) Ai receives as input pk\ and the program for Ai, (3) Ai cannot make any 
designation queries, (4) Ai makes same number of sign queries as Ai (possibly 
0 ). 

Let Pyes and Pno denote the probability that A 2 outputs yes in games yes and 

def 

no, respectively. We let C^(Ai,A 2 ) = jPyes — Pno| denote A 2 ’s distinguishing 
advantage. 

Definition 2. A UDVS scheme is said to achieve complete and perfect uncon- 
ditional privacy (PR notion) if there exists an efficient forgery strategy Ai such 
that (^^(Ai, A 2 ) = 0 for any efficient Ai and computationally unbounded A 2 . 



4 Two Extensions of Schnorr Signature Scheme into 
UDVS Schemes 

We will present two UDVS schemes which are both extensions of the Schnorr [14] 
signature scheme (that is, the signer key-generation, signing and public-verifica- 
tion algorithms in both schemes are identical to those of the Schnorr signature) . 
The first UDVS scheme SchUDVSi has an efficient and deterministic designation 
algorithm and its unforgeability relies on the Strong Diffie-Hellman (SDH) as- 
sumption. The second UDVS scheme SchUDVS 2 has a less efficient randomized 
designation algorithm, but its unforgeability follows from the weaker Discrete- 
Logarithm (DL) assumption (in the random-oracle model). 
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4.1 First Scheme: SchUDVSi 

Our first UDVS scheme SchUDVSi is defined as follows. Let {0, 1}-^ denote the 
message space of all bit strings of length at most i bits. The scheme makes use 
of a cryptographic hash function H : {0, 1}-^ x {0, 1}* ^ {0, 1}^ , modelled 

as a random-oracle [2] in our security analysis. We assume that elements of the 
group G output by algorithm GC are represented by bit strings of length la > Iq 

bits, where Iq Llog2 <zj + 1 is the bit length of q. 

1. Common Parameter Generation GC. (Identical to Schnorr). Choose a 
group G of prime order q > 2^ with description string Da (e.g. if G is a 
subgroup of 2*, the string Dq would contain (p,q)), and let g G G denote 
a generator for G. The common parameters are cp = (Da,g). 

2. Signer Key Generation GKS. (Identical to Schnorr). Given the common 
parameters cp, pick random x\ G 2* and compute yi = g®L The public key 
is pki = (cp, gi). The secret key is sfci = (cp,xi). 

3. Verifier Key Generation GKV. Given the common parameters cp, pick 
random xs G 2* and compute ys = The public key is pks = {cp,ys). 
The secret key is sk^ = {cp,xz)- 

4. Signing S. (Identical to Schnorr). Given the signer’s secret key (cp, xi), and 
message m, choose a random k G~2.q and compute u = g^ , r = H{m, u) and 
s = k + r • xi (mod q). The PV signature is cr = (r, s). 

5. Public Verification V. (Identical to Schnorr). Given the signer’s public key 
yi and a message/PV sig. pair (m, (r, s)), accept if and only if H{m, u) = r, 
where u = g^ • yi^. 

6. Designation GDV. Given the signer’s public key yi, a verifier’s public key 
P3 and a message/PV-signature pair (m, (r, s)), compute u = g^ • gf’’ and 
K = y^. The DV signature is a = {u, K). 

7. Designated Verification VDV. Given a signer’s public key gi, a verifier’s 

secret key x^, and message/DV-sig. pair {m,{u,K)), accept if and only if 
K = (u • where r = H{m,u). 

Unforgeability. The PV-Unforgeability of SchUDVSi is equivalent to the un- 
forgeability of the Schnorr signature, which in turn is equivalent to the Discrete- 
Logarithm (DL) assumption in G, assuming the random-oracle model for iL(.) [11]. 
However, for the DV-Unforgeability of SchUDVSi, it is clear that the stronger 
‘Gomputational Diffie-Hellman’ (GDH) assumption in G is certainly necessary — 
an attacker can forge a DV signature {u, K) on a message m by choosing a ran- 
dom u G G, computing r = H(m, u) and then K = GDHg(w • g[, ga) (indeed this 
is the idea behind the proof of the privacy of SchUDVSi — see below). Moreover, 
in the strong DV-unforgeability attack setting, the even stronger ‘Strong Diffie- 
Hellman’ (SDH) assumption in G is necessary. This is because the forger’s access 
to the verifier’s VDV oracle allows him to simulate the fixed-input DDH oracle 
DDH x3(w,K) which decides whether K = or not (see Sec. 2.2), namely we 
have DDHa,3(i(;, K) = VDV(g(, X3, m, (u, AT)) with y[ = (w ■ u~^Y ^ « and 

r = H{m,u). Note that this does not rule out the possibility that there may 
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be another attack which even bypasses the need to break SDH. Fortunately, the 
following theorem shows that this is not the case and SDH is also a sufficient con- 
dition for Strong DV-Unforgeability of SchUDVSi, assuming the random-oracle 
model for H{.). The proof uses the forking technique, as used in the proof in [11] 
of PV-Unforgeability of the Schnorr signature. 

Theorem 1 (Strong DV-Unforg. of SchUDVSi). If the Strong Diffie- Heilman 
problem (SDH ) is hard in groups generated by the common-parameter algorithm 
GC, then the scheme SchUDVSi achieves Strong DV-un forgeability (ST-UF-DV 
notion) in the random-oracle model for H {.) . Concretely, the following insecurity 
bound holds: 

Iv, Qh) < 2 [{qn + (?„)InSecsDH(^[-5'], g[S'])]^^^ 

QsiqH + <7s + Qv) + 2(gn -|- Qy) -\- 1 
2^ ’ 

where t[S'] = 2t -|- 2{qu -\- qg -\- qy -\- l)(Ts -\- 0 {Ih)) + {qs + ^)0{lqTg) -\- 0(1^), 
where Ts = 0{\og2{qH + 9s + qv) • {£ + Ig)) and (/[S'] = 2qy. Here we denote by 
Tg the time needed to perform a group operation in G. 

Privacy. The privacy of SchUDVSi follows from the existence of an algorithm 
for forging DV signatures (with identical probability distribution as that of real 
DV signatures) using the verifier’s secret key, which is a trapdoor for solving the 
CDH problem on which the DV-Unforgeability relies. 

Theorem 2 (Privacy of SchUDVSi). The scheme SchUDVSi achieves com- 
plete and perfect unconditional privacy (PR notion). 



4.2 Second Scheme: SchUDVS2 

Our second UDVS scheme SchUDVS2 trades off efficiency for a better provable 
unforgeability security guarantee. Rather than using the Diffie-Hellman trapdoor 
function to achieve privacy, we instead get the designator to produce a Schnorr 
proof of knowledge of the PV signature (r, s). This proof of knowledge is made 
non-interactive in the random-oracle model using the Fiat-Shamir heuristic [5], 
but using a trapdoor hash function [9, 15] Fy^ (.; .) composed with a random oracle 
J(.) in producing the ‘verifier random challenge’ r for this proof of knowledge. 
The designated- verifier’s secret key consists of the trapdoor for the hash function 
Uyg, which suffices for forging the DV signatures, thus providing the privacy 
property. We remark that a similar technique was used by Jakobsson Sako and 
Impagliazzo [8], who used a trapdoor commitment scheme in constructing a 
designated- verifier undeniable signature scheme. Our scheme can use any secure 
trapdoor hash function. 

The resulting scheme is defined as follows. Let {0, 1}-^ denote the mes- 
sage space of all bit strings of length at most £ bits. The scheme makes use 
of two cryptographic hash functions H : {0, 1}-^ x {0, 1}^ ^ {0, 1}^ and 
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J : {0, 1}-^ X ^2 X {0, 1}* X {0, 1}* ^ {0, 1}* , both modelled as random- 
oracles [2] in our security analysis. We also use a trapdoor hash function scheme 
TH = (GKF, F, CSF) with Fy^ : {0, 1}* x Rp {0, 1}* (we refer the reader to 
Section 2 for a definition of trapdoor hash function schemes). We assume that 
elements of the group G output by algorithm GC are represented by bit strings 
of length Ig > Iq bits, where Iq + 1 is the bit length of q. 

1. Common Parameter Generation GG. (Identical to Schnorr). Choose a 
group G of prime order q with description string Dq (e.g. if G is a subgroup of 
2*, the string Dq would contain (p, q)), and let p G G denote a generator for 
G. The common parameters are cp = (fc, Dq, g) {k is the security parameter). 

2. Signer Key Generation GKS. (Identical to Schnorr). Given the common 

parameters cp, pick random x\ € ILq and compute y\ = . The public key 

is pki = (cp, pi). The secret key is ski = (cp,xi). 

3. Verifier Key Generation GKV. Given the common parameters cp = k, 
run TH’s key-gen. algorithm to compute (sk,pk) = GKF(fc). The public key 
is pks = {cp,pk). The secret key is sk^ = {cp, sk,pk). 

4. Signing S. (Identical to Schnorr). Given the signer’s secret key (cp, x\), and 
message m, choose a random k G ^q and compute u = g^ , r = Fl{m, u) and 
s = k + r • xi (mod q). The PV signature is cr = (r, s). 

5. Public Verification V. (Identical to Schnorr). Given the signer’s public key 
Pi and a message/PV sig. pair (m, (r, s)), accept if and only if H{m, u) = r, 
where u = g^ ■ pf’’. 

6. Designation GDV. Given the signer’s public key pi, a verifier’s public key 
pks = {cp,pk) and a message/PV-signature pair (m, (r, s)), compute u = 
g^ ■ yi^ , u = g^ for a random k G ~2.q, h = Fpk{u; rp) for a random 9p G Rp, 
r = J{m, r, u, h) and s' = k+Fs mod q. The DV signature is o’ = {u, rp,r, F). 

7. Designated Verification VDV. Given a signer’s public key pi, a verifier’s 
secret key sk^ = {cp, sk,pk), and message/DV-sig. pair (to, {u,rp,r,'s}), ac- 
cept if and only if J(to, r, u, h) = r, where r = Fl{m, u), h = Fpk{u; rp) and 
u = g^ -{u- pC)"’'. 

Unforgeability. The idea behind the DV-Unforgeability of SchUDVS 2 , is that 
the DV signature is effectively a proof of knowledge of the s portion of the PV 
Schnorr signature (r, s) by the signer on to. Namely, using the forking technique 
we can use a forger for SchUDVS 2 to extract s and hence forge a Schnorr PV 
signature for some unsigned message to, or alternately to break the collision- 
resistance of the trapdoor hash scheme TH. We have the following concrete 
result. Note that we need only assume that </(.) is a random-oracle in proving this 
result, but we provide a count of H{.) queries to allow the use of our reduction 
bound in conjunction with known results on the unforgeability of the Schnorr 
signature which assume the random-oracle model for H{.). 

Theorem 3 (Strong DV-Unforg. of SchUDVS 2 ). If SchUDVS 2 is PV- 

unforgeahle (UF-PV notion) and TH is collision-resistant (CR notion) then 
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SchUDVS 2 achieves Strong DV-un forgeability (ST-UF-DV notion) in the 
random- oracle model for J{.). Concretely, the following insecurity hound holds: 



{t,qs,qv,qj,qH) < 

2[(gj + qv)qsY'^ [lnSecy^^UDVS,(^['S']> g//[S']) + lnSec^^{t[T]) 



1 1/2 



2 (< 7 j + qv)qs + 1 
^ 2' 



where /[S'] = t[T] = 2/ + 0((gj + + Zf + Ig) + IqTg + qs[S] = 2qs and 

qn [S] = 2qn ■ Here we denote by Tg the time needed to perform a group operation 
in G. 



Privaey. The privacy of SchUDVS 2 follows from the existence of an algorithm 
for forging DV signatures (with identical probability distribution as that of real 
DV signatures) using the verifier’s secret key, which is a trapdoor for solving 
collisions in TH. In particular we need here the perfectly-trapdoor property of 
TH. This result holds in the standard model (no random-oracle assumptions). 

Theorem 4 (Privacy of SchUDVS 2 ). If the scheme TH is perfectly-trapdoor 
then SchUDVS 2 achieves complete and perfect unconditional privacy (PR no- 
tion). 



5 RSA-based Scheme: RSAUDVS 

The idea for the construction of an RSA-based UDVS scheme is analogous to the 
second Schnorr-based scheme SchUDVS 2 , and is described as follows. The PV 
RSA signature known to the designator is the eth root cr = mod N of the 
message hash h, where {N, e) is the signer’s RSA public key. To produce a DV 
signature on to, the designator computes a zero-knowledge proof of knowledge of 
the PV signature a (made non-interactive using Fiat-Shamir method [5]), which 
is forgeable by the verifier. The Guilliou-Quisquater ID-based signature [7] is 
based on such a proof and is applied here for this purpose. To make the proof 
forgeable by the verifier, we use a trapdoor hash function in the computation of 
the challenge, as done in the SchUDVS 2 scheme. We note that a restriction of the 
GQ proof that we use is that the random challenge r must be smaller than the 
public exponent e. To allow for small public exponents and achieve high security 
level, we apply a proofs in ‘parallel’, where a is chosen to achieve a sufficient 
security level — see security bound in our security analysis (a similar technique 
is used in the Fiat-Shamir signature scheme [5]). 

The resulting scheme is defined as follows. Let {0, 1}-^ denote the message 
space of all bit strings of length at most £ bits. The scheme makes use of two 
cryptographic hash functions H : {0, 1}-^ x Rs ^ {0, 1}* and J : {0, 1}-^ x 
2“ X {0,1}^ — > 2“ / . Note that we only need to assume that J(.) is a 

random-oracle model in our security analysis, and that we allow randomized RSA 
signatures with hash generation h = H{m; s) for random s. The corresponding 
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verification is to check if R(h,m) = Acc or not, where i?(.) is a binary relation 
function that outputs Acc if /i is a valid hash of message m and outputs Rej 
else. Thus by a suitable choice of H {., .) and i?(., .) our scheme can instantiated 
with any of the standardised variants of RSA signatures such as RSASSA-PSS 
or RSASSA-PKCSl-vl5, as specified in the PKCSl standard [13]. We also use a 
trapdoor hash function scheme TH = (GKF, CSF) with Fy^ : {0, 1}* x Rp 
{0, 1}* (we refer the reader to Section 2 for a definition of trapdoor hash function 
schemes). Here Im denotes the length of RSA modulus N of the signer’s public 
key. 

1. Common Parameter Generation GC. (Identical to RSA). The comm, 
pars, are cp = k {k is the security parameter). 

2. Signer Key Generation GKS. (Identical to RSA). Given the common 

parameters cp, choose a prime e > 2^ Pick random primes p and q such 
that N = pq has bit-length and gcd{e, (j){N)) = 1, where (j){N) = (p — 
l){q — 1). Compute d = e~^ mod The public key is pk\ = (cp,N,e). 

The secret key is ski = {cp, N, e, d). 

3. Verifier Key Generation GKV. Given the comm. pars, cp = k, run TFI’s 
key-gen. algorithm to compute {sk,pk) = GKF(fc). The public key is pk^ = 
{cp,pk). The secret key is sk^ = {cp, sk,pk). 

4. Signing S. (Identical to RSA). Given the signer’s secret key {cp,N,e,d), 
and message m, choose a random s € Rs and compute h = F[{m,s) and 
a = h'^ mod N. The PV signature is cr. 

5. Public Verification V. (Identical to RSA). Given the signer’s public key 
{cp, N, e) and a message/PV sig. pair {m, a), accept if and only if R{m, h) = 
Acc, where h = mod N. 

6. Designation CDV. Given the signer’s public key {cp, N, e), a verifier’s public 
key pks = {cp, pk) and a message/PV-signature pair (m, a), choose a random 
elements ki G 2^ and compute u = {ui,...,Ua), where Ui = kl mod N 
for i = l,...,a. Compute h = Fpf^{u;rp) for random rp G Rp. Compute 
r = {ri,...,ra) = J{m,h,h), where h = cr® mod V and fy G ^2 / for 
i = 1, . . . , a. Compute s' = (s"i, . . . , s^), where 'si = ki • cr’’ mod N for all 
i = 1, . . . , a. The DV signature is ct = {h, rp,r, s). 

7. Designated Verification VDV. Given a signer’s public key {cp, N,e), a ver- 
ifier’s secret key sfcs = {cp, sk,pk), and message/DV-sig. pair (m, {h, rp,r, ^)), 
accept if and only if J{m, h,h) =r and R{m, h) = Acc, where h = Fpk{u; rp) 
with u = (mi, . . . , Ua) and Ui = s^ ■ A”'’ mod N for i = 1, . . . ,a. 

Unforgeability. Similar to the scheme SchUDVS 2 , thanks to the soundness of 
the GQ proof of knowledge of RSA inverses, we can prove the DV unforgeability 
of RSAUDVS assuming the PV-unforgeability of RSAUDVS (i.e. the existential 
unforgeability under chosen-message attack of the underlying standard RSA sig- 
nature (GKS,S,V)) and the collision-resistance of the trapdoor hash TFI. The 
concrete result is the following. 

Theorem 5 (Strong DV-Unforg. of RSAUDVS). If RSAUDVS is PV- 

unforgeahle (UF-PV notion) and TFI is collision-resistant (CR notion) then 
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RSAUDVS achieves Strong DV-unforgeahility (ST-UF-DV notion) in the 
random- oracle model for J{.). Concretely, the following insecurity hound holds: 



InSec 



ST-UF-DV 
RSAUDVS 



(t,qs,qv,qj,qH) < 



2[(gj + qv)qsV^^ [lnSecU5F-^Pvs(^[^]: 94^], [^]) + InSec?« (i[T]) 

2(?j + qv)qs + 1 
2 ^ ’ 



1/2 



where ^[5] = t[T] = 2f + 0((gj + qv){lF + In) + le + CTn), <7s[5'] = ‘^qs and 
qnlS] = 2qn- Here we denote by the time needed to perform a multiplication 
in 2^ and C = log 2 (e). 



Privacy. The privacy of RSAUDVS is unconditional, assuming the perfectly- 
trapdoor property of the trapdoor hash scheme TH. 



Theorem 6 (Privacy of RSAUDVS). If the scheme TH is perfectly-trapdoor 
then RSAUDVS achieves complete and perfect unconditional privacy (PR no- 
tion). 



6 Scheme Comparison 

The following tables compare the security and performance features of the pro- 
posed schemes (also shown for comparison is an entry for the bilinear-based 
UDVS scheme DVSBM [16]). It is evident that SchUDVSi is more computation- 
ally efficient than SchUDVS 2 but its security relies on a stronger assumption and 
it also produces slightly longer DV signatures. The RSA-based scheme RSAU DVS 
has a disadvantage of long DV signature length, assuming a low public exponent. 
However, the computation is about the same as in the Schnorr-based schemes. 



Scheme 


Extended Sig. 


Hard Problem 


Det. Desig? 


DV Sig. Length (typ) 


SchUDVSi 


Schnorr 


SDH 


Yes 


2.0 kb 


SchUDVS2 


Schnorr 


DL 


No 


1.5 kb 


RSAUDVS 


RSA 


RSA 


No 


11.6 kb 


DVSBM 


BLS 


BDH 


Yes 


1.0 kb 



Table 1. Comparison of UDVS Schemes. The column ‘Det Desig?’ indicates if the 
schemes designation algorithm is deterministic. Refer to [17] for assumptions used to 
compute typical DV sig. lengths. 



7 Conclusions 

We have shown how to efficiently extend the standard Schnorr and RSA signature 
schemes into Universal Designated-Verifier Signature schemes, and provided a 
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Scheme 


Desig. Time 


Ver. Time 


SchUDVSi 

SchUDVS 2 

RSAUDVS 

DVSBM 


2 exp. 

2 exp. -1- TH 

2([U/log2(e)l -1- 1) exp. -f TH 
1 pairing 


1 exp. 

1 exp. -I- TH 

[U/log 2 (e)'| -1- 1 exp. -1- TH 
1 pairing -|- 1 exp. 



Table 2. Comparison of UDVS Schemes Approximate Computation Time. Here we 
count the cost of computing a product as equivalent to a single exponentiation 

(exp.) in the underlying group. For RSAUDVS exponent lengths are all log 2 (e). TH 
denotes the cost of evaluating the trapdoor hash function Fpk (typ. 1 exp.). 



concrete security analysis of the resulting schemes. One problem of our RSA 
scheme is that the length of designated signatures is larger than standard RSA 
signatures by a factor roughly proportional to fc/log 2 (e), where k is the security 
parameter and e is the public exponent. An interesting open problem is to find 
an RSA based UDVS scheme with designated signatures only a constant factor 
longer than standard RSA signatures, independent of e. 
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Abstract. In this paper, we provide the first committed signature prov- 
ably secure in the standard complexity model based on the strong RSA 
assumption. The idea behind the construction is that given any valid par- 
tial signature of message m, if a co-signer with its auxiliary input is able 
to generate variables called the resolution of message m such that the 
distribution of the variables is indistinguishable from those generated by 
the primary signer alone from the point views of the verifier/arbitrator, 
then from which a committed signature can be derived. 

Keywords: Committed signatures, fair exchange protocols, strong RSA 
assumption 



1 Introduction 

In PODC 2003, Park, Chong, Siegel and Ray [15] provided a novel method of 
constructing fair exchange protocol by distributing the computation of RSA 
signature. This approach avoids the design of verifiable encryption scheme at 
the expense of having co-signer store a piece of prime signer’s secret key (please 
refer to [1], [4], [2], [3] for more details). Based on Park et.al’s study, Dodis and 
Reyzin [10] presented a unified model for non-interactive fair exchange protocols 
which results in a new primitive called committed signatures later. Committed 
signatures are the following thing: Alice can produce a partial signature to Bob; 
upon receiving what she needs from Bob, she can convert it to a full signature. 
If she refuses, the trusted third party Charlie can do it for her upon receipt 
of partial signature and proper verification that Bob fulfilled his obligation to 
Alice. 

Park, Chong, Siegel and Ray’s fair exchange protocol is actually a committed 
signature scheme since the mechanism of the non-interactive fair exchange is the 
same thing as a committed signature. Unfortunately this committed signature 
is totally breakable in the registration phase [10]. Dodis and Reyzin [10] then 
presented a remedy scheme by utilizing Boldyreva’s non-interactive two-party 
multi-signature scheme [5]. Therefore Dodis and Reyzin’s committed signature 
is the first committed signature provably secure under the Gap Diffie-Hellman 
assumption in the random oracle paradigm. 



F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 101-114, 2004. 
(c) International Association for Cryptologic Research 2004 
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Security in the random oracle model does not imply security in the real 
world. The existence of committed signature is obvious in the standard com- 
plexity model provided the underlying signature schemes are provably secure in 
the standard complexity model as two signatures with keys {pk\, ski), {pk 2 , sk 2 ), 
and let PK = {pki,pk 2 ), SK = (ski, sfe) and cr = (cti, (T 2 ) are sufficient to build 
a secure committed signature. Therefore the challenge problem is to construct a 
committed signature consistent with a stand-alone signature scheme in the stan- 
dard complexity model. In this paper, we are able to provide the first committed 
signature based on the strong RSA assumption. The idea behind the construc- 
tion is that given any valid partial signature of message m, if a co-signer with its 
auxiliary input is able to generate variables called the resolution of message m 
such that the distribution of the variables is indistinguishable from those gener- 
ated by the primary signer alone from the point views of the verifier/arbitrator, 
then from which a committed signature can be derived. 

The rest of paper is organized as follows: in Section 2, we formalize the 
security definition of committed signatures, and a committed signature is fully 
described in the Subsection 3.1, the proof of its security is presented in Subsection 
3.2. In Section 4, we construct committed signatures from the point views of real 
world by providing two efficient schemes with random strings reusing. Finally 
the conclusion is presented in Section 5. 

2 Notions and Definitions 

The following definition of committed signatures is formalized the SAME thing 
as non-interactive fair exchanges introduced by Park, Chong, Siegel and Ray [15] 
and [10]. Therefore, the committed schemes presented in this report should be 
viewed as the actual fair exchange protocols working in the real world. 

Definition 1 A committed signature involves a primary signer Alice, a verifier 
Bob and a co-signer (or arbitrator) Charlie, and is given by the following efficient 
procedures: 

-Key generator KG: This is an interactive protocol between a primary signer 
and a co-signer, by the end of which either one of the parties aborts, or 
the primary signer learns her secret signing key SK , the co-signer learns his 
secret key ASK, and both parties agree on the primary signer’s public key 
PK and partial verification key APK; 

-Fully signing algorithm Sig and its correspondent verification algorithm Ver: 
These are conventional signing and verification algorithms. Sig{m, SK) run 
by the primary signer, outputs a full signature a on m, while Ver{m, a, PK) 
run by any verifier, outputs 1 (accept) or 0 (reject); 

-Partially signing algorithm PSig and the correspondent verification algorithm 
PVer: These are partial signing and verification algorithms, which are sim- 
ilar to ordinary signing and verification algorithms, except they can depend 
on the public arbitration key APK. PSig{m, SK, PK, APK), run by the 
primary signer, outputs a partial signature a', while PVer{m, a' PK, APK), 
run by any verifier, outputs 1 (accept) or 0 (reject); 
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-Resolution algorithm Res: This is a resolution algorithm run by the co-signer 
(arbitrator) in case the primary signer refuses to open her signature a to 
the verifier, who in turn possesses a valid partial signature a' on m and 
a proof that he fulfilled his obligation to the primary signer. In this case, 
Res{m, a', ASK, PK) should output a valid full signature of to. 

Correctness of committed signatures states that: (1) Ver{m, Sig{m, SK), 
PK)=1; {2)PVer{m, PSig{m, SK, PK, APK), PK, APK)=l-,and{3)Yer{ to, 
Res{PSig{m, SK, PK, APK ), ASK, APK, PK), PK)=l. 



2.1 Security of Committed Signatures 

Recall that a committed signature is formalized the same thing as a non-interac- 
tive fair exchange. The security of committed signature scheme should consist of 
ensuring three aspects: security against a primary signer Alice, security against 
a verifier Bob, and security against a co-signer/abitrator Charlie. 

Security against a primary signer Intuitively, a primary signer Alice 
should not provide a partial signature which is valid both from the point views 
of a verifier and a co-signer but which will not be opened into the primary 
signer’s full signature by the honest co-signer. More formally: 

Let P be an oracle simulating the partial signing procedure PSig, and R 
be an oracle simulating the resolution procedure Res. Let k be system security 
parameter. We require that any probabilistic polynomial time Adv succeeds with 
at most negligible probability in the following experiment. 

Experiment 1 (security against primary signer): 

1.1: Key generation: {SK* , PK, ASK, APK) ^ KG*{1^), where KG* de- 
notes the run of key generator KG with the dishonest primary signer by the 
adversary, and SK* denotes the adversary’s states. 

1.2: Res oracle query: In this phase, for each adaptively chosen message rrij, 
the adversary computes its partial signature Uj' for rrij. Finally the adversary 
forward Uj' to the oracle R to obtain the full signature (jj of message rrij, where 
1 < i < p{k), and p(-) is a polynomial. At the end of R oracle query, the 
adversary produces a message and its full signature pair {m,a), i.e., {m,a') ^ 
Adv^{SK* , PK, APK), a ^ Adv{m,a' , SK*, APK, PK), where to yf mj, 1 < 
J < P{k). 

1.3. Success of Adv : = [PVer{m, a' , APK, PK) = 1 A Ver{m, a, PK) = 0]. 

Definition 2 A committed signature scheme is secure against primary signer 
attack, if any probabilistic polynomial time adversary Adv associated with Reso- 
lution oracle, succeeds with at most negligible probability, where the probability 
takes over coin tosses in KG{-), PSig{-) and R{-). 

Security against verifier We consider the following scenario: suppose a 
primary signer Alice and a verifier Bob are trying to exchange signature in a 
fair way. Alice wants to commit to the transaction by providing her partial 
signature. Of course, it should be computationally infeasible for Bob to compute 
the full signature from the partial signature. More formally, we require that any 
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probabilistic polynomial time adversary Adv succeeds with at most negligible 
probability in the following experiment: 

Experiment 2 (security against verifier): 

2.1 Key generation: {SK, PK, ASK, APK) ^ KG{\^), where KG is run by 
the honest primary signer and honest co-signer. Adversary Adv are admitted to 
make queries to the two orales P and R. 

2.2 P and R oracle query: For each adaptively chosen message rrij, the ad- 
versary obtains the partial signature Uj' of message rrij by querying the partial 
signing oracle P. Then the adversary forward Uj' to the resolution oracle R to 
obtain the full signature (Jj of message ruj, where 1 < j < p{k), and p(-) is a 
polynomial. At the end of oracle both P and R queries, the adversary produces 
a message-full signature pair {m,a) ^ Adv^’^{PK, APK) . 

2.3 Success of adversary Adr: : = [Ver{m,a,PK) = lAm^ Query{Adv, R)], 
where Query{Adv,R) is the set of valid queries the adversary Adv asked to the 
resolution oracle R, i.e., (to, tr') such that PVer{m,a') = 1. 

Definition 3 A committed signature scheme is secure against verifier attack, if 
any probabilistic polynomial time adversary Adv associated with partial signing 
oracle P and the resolution oracle R, succeeds with at most negligible probability, 
where the probability takes over coin tosses in KG{-), P(-) and R{-). 

Security against co-signer /arbitrator This property is crucial. Even 
though the co-signer (arbitrator) is semi-trusted, the primary signer does not 
want this co-signer to produce a valid signature which the primary signer did 
not intend on producing. To achieve this goal, we require that any probabilistic 
polynomial time adversary Adv associated with partial signing oracle P, succeeds 
with at most negligible probability in the following experiment: 

Experiment 3 (security against co-signer/arbitrator): 

3.1 Key generation: {SK, PK, ASK* , APK) ^ KG*{1^), where KG*{1^) 
is run by the dishonest co-signer or arbitrator. Adversary Adv are admitted to 
make queries to the partial signing orale P. 

3.2 P oracle query: For each adaptively chosen message rrij, the adversary 
obtains the partial signature aj' for rrij from the oracle P, where 1 < j < 
p{k), and p{-) is a polynomial. At the end of the partial partial signing oracle 
query, the adversary produces a message-full signature pair (to, a), i.e., (to, a) ^ 
Adv^{ASK*, PK, APK). 

3.3 Success of adversary Adr: : = [Ver{m,a, PK) = lAm^ Query{Adv, P)], 
where Query{Adv, P) is the set of valid queries Adv asked to the partial oracle 
P, i.e., {m,a') such that PVer{m,a') = 1. 

Definition 4 A committed signature scheme is secure against co-signer attack, 
if any probabilistic polynomial time adversary Adv associated with partial sign- 
ing oracle P, succeeds with at most negligible probability, where the probability 
takes over coin tosses in KG{-), P{-). 

Definition 5 A committed signature scheme is secure if it is secure against 
primary signer attack, verifier attack and co-signer attack. 
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3 Constructing Committed Signatures from Strong RSA 
Assumption 

3.1 Our Committed Signature Scheme 

We utilize Zhu’s signature as primary building block to construct committed 
signature scheme [16]. We remark that the use of Zhu’s signature is not essential. 
The Cramer-Shoup’s signature including trapdoor hash signature [9] , Camenisch 
and Lysyanskaya [7] and Fischlin’s signature scheme [11] are all suitable for our 
purposes. Nevertheless, among the signatures mentioned above, Zhu’s signature 
is the most efficient. 

Zhu’s signature scheme Zhu’s signature scheme is defined as follows [16]: 

— Key generation algorithm: Let p, q be two large safe primes (i.e., p — 1 = 
2p' and q — I = 2q' , where p',q' are two primes with length (F + 1)). Let 
n = pq and QRn be the quadratic residue of Z*. Let X,g,h € QRn be three 
generators chosen uniformly at random. The public key is (n, g, h, X, H), 
where iL is a collision free hash function with output length 1. The private 
key is {p,q). 

— Signature algorithm: To sign a message m, a, (I + l)-bit prime e and a string 
t € {0,1}^ are chosen at random. The equation y® = Xg^h^^’^^modn is 
solved for y. The corresponding signature of the message m is {e,t,y). 

— Verification algorithm: Given a putative triple (e,t,y), the verifier checks 
that e is an {I + l)-bit odd number. Then it checks the validity of V = 
y®y“*h“^^'"^modn. If the equation is valid, then the signature is valid. Oth- 
erwise, it is rejected. 

Strong RSA assumption: Strong RSA assumption was introduced by 
Baric and Pfitzmann [6] and Fujisaki and Okamoto [12]: The strong RSA as- 
sumption is that it is hard, on input an RSA modulus n and an element z € Z*, 
to compute values e > 1 and y such that y® = 2 :modn. More formally, we assume 
that for all polynomial time circuit families A^, there exists a negligible function 
v{k) such that: 

Pr[n ^ G(l^), z ^ Z*, (e, y) ^ Afc(n, 2 :) : e > 1 A y® = zmodn] = v{k) 

The following lemma, due to Guillou-Quisquater [14], is useful to prove the 
security of the committed signature scheme. 

Guillou-Quisquater lemma Suppose w® = and d = gcd(e,5). Then 
there exists an efficient algorithm computing the (e/<i)-th root of z. 

Zhu’s signature scheme is immune to adaptive chosen-message attack in the 
sense of Goldwasser, Micali and Rivest [13] , under joint assumptions of the strong 
RSA problem as well as the existence of collision free hash function. Please refer 
to the appendix for details. Based on Zhu’s signature scheme, we are ready to 
describe the new committed signature below. 

Key generation algorithm: We choose two safe primes p = 2p' + 1, q = 
2q' + 1 and compute N = pq. Denote the quadratic residue of Z’^ by QRn- Let 
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x,hi,h2 be elements chosen uniformly at random from the cyclic group QRn- 
Let PriG be a prime generator. On input 1^, it generates 2s+l primes, each with 
bit length (?+ 1). The prime pair 6^,2} is indexed by some z G I (1 < z < s). 
The public key (X, 51,32) is computed from x,h\,h2 and (ei^2, 62,2, • ’ ’ e«,2) as 
follows: 

X ^ 3;ei,2e2,2 -e _i,2e 

9 1 ^ -1'"® -"modfV 

92 ^ -"modlV 

Denote a subset of index set in which each index z has been used to sign 
some message by lused- We then build a public accessible prime list table PriT 
as follows. On input z G lused, PriT outputs {ei,i,ei_2}- 

The primary signer’s public key PK is {N,X,gi,g2,H,PriT,Iused)- The 
private key SK is {x,hi,h2,p,q, (eip,ei^2), 1 < * < s)}, where H is a, publicly 
known collision-free hash function. 

The APK of the co-signer is {N, X, 51, 52, H, PriT, lused)- The secret key of 
the co-signer ASK is {x, /zi, /12, (ei,2, 62,2, • • • , Bs,2)}- 

Partial signing algorithm PSig and correspondent verification al- 
gorithm PVer: To sing a message m, we choose z G / \ lused and a random 
string ti^i G {0, l}b The equation: 

vli = Xg{ -'gf ^""VodlV 



is solved for 1. 

We then update the index lused by accumulating 

Ksed ^ lused 

The partial signature of message mis a' = (z, e^^i, 514). 

On upon receiving a putative partial signature a' = (z, e^^i, ti,i, 5i,i), the 
verification algorithm checks whether z G lused or not, if z ^ lused, then it 
outputs 0, otherwise, it runs PriT, on input z to obtain a prime pair (ej^i,ei^2)) 
and it outputs 1, i.e., PVer{m,a') = 1 if a'{m) satisfies the equation: 

^ = yli9i* ’'g^^^""VodlV 

Full signing algorithm Sig and correspondent verification algorithm 

Ver: To fully sign the message m, for the given z, we obtain the prime pair 
{ci,!, Si,2} by running PriT on input z G lused- Then we choose a random string 
ti,2 G {0, 1}* uniformly at random and compute z/i,2 from the equation: 

e 2 Z 2 ZZ(Z ,l|l^) 1 \T 

Vi,2 = ^9i 92 'modfv 
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The corresponding full signature cr of the message m is defined below: 

a := (*, ei,i, ei_2j tj,i) ti,2, 

To verify the correctness of full signature scheme a, the verification algorithm 
checks whether i G lused or not, if t ^ lused, then it outputs 0, otherwise, it runs 
PriT, on input i to obtain a prime pair (ej^i,ei_2)- Finally it tests whether the 
following equations are valid: 

and 

TA e ,2 -i ,2 -H{t i\\m) , 

^ = y ^,2 9 i 92 'modfV 

If both equations are valid, then the verification function outputs Ver{m, a) = 
1, otherwise, it outputs 0; 

Resolution algorithm Res: Given a partial signature <j' = (f, ei,i, tyi, 
of message m, the co-signer runs the prime list table PriT on input i G lused to 
obtain the pair of primes (eip,ei,2), and checks whether eyi is a component of 
partial signature a' (such a prime eyi is called a valid prime). If it is valid then 
the co-signer checks the valid of the following equation: 

vli = ^9{ ’'sf ^""VodlV 

If it is valid, the co-signer then computes: 

^ -i,2e +i,2---e ,2 






ei,2---e -1,26 +i,2"-e ,2 



and 



^ L ei 2"-e - 1,26 +1,2"-6 ,2 

9 i ,2 ^fl 2 



Finally, the co-signer chooses a random string t' 2 ^ {Oj 1 }* and computes 
j/y2 from the following equation: 



Vi ,2 = 'ill""WodfV 

The output of the resolution algorithm is (i, e^^i, Cy2, ti,i, 212/1,17^72) 

Obviously, 

‘V' ® i2 ^ ,2 — H (t 1 IItTi) j Tt-r 

^ = y^,i 9 i 52 'modfV 

-We remark that the choice of random string f' 2 G { 0 > 1 }^ in the resolution 
phase does not dependent on the random string ti^2 in the full signature algo- 
rithm. If we insist on the same string used in the resolution algorithm Res, then 
the random pair (tip, tip) can be listed as public known random string set which 
is also indexed by the set I. 




108 



Huafei Zhu 



-We remark that the number of signature is bounded by s, where s(-) is a 
polynomial of security parameter k. This is an interesting property as a primary 
signer can specify the number of signatures for each certificate during its validity 
duration. 

-We also remark that the scheme requires both the signer and co-signer to be 
stateful to keep count i G lused and so never reuse primes. And the used index 
set lused updated after each signature generation is apparently assumed to be 
accessible to the verifier and co-signer. 



3.2 The Proof of Security 



Theorem 6: The committed signature is secure under the strong RSA assump- 
tion and the assumption that H is collision resistant in the standard complexity 
model. 

Proof: Security against the primary signer Alice is trivial since the co-signer 
holds ASK in the protocol. 

Security against the verifier Bob: Assume that protocol is not secure against 
the verifier attack. That is, there is an adversary playing the role of verifier in the 
actually protocol, who is able to forge a full signature ct of a message m {m yf rrii, 
1 < i < f) with non-negligible probability after it has queried partial signing 
oracle and resolution oracle of messages mi, • • • ,m/, each is chosen adaptively 
by the adversary. Let (t, Cj^i, ej,2j 2i 2/1,2) be the full signature provided 

by the partial signing oracle and the resolution oracle corresponding to a set of 
messages m^ (1 < z < /). We consider three types of forgeries as that in [ 9 ]: 
1) for some 1 < j < /, ek,2 = ej,2 and where k ^ {1, • • • , /}; 2) for 

some 1 < j < /, 6 k, 2 = 6j,2 and t'f.2 ^ t'^2, where k ^ { 1 , •••,/}; 3 ) for all 
1 £ i < /) ^k,2 ^ Bj,2, where k ^ { 1 , • • • , /}. We should show that any forgery 
scheme of the three types will lead to a contradiction to the assumptions of the 
theorem. This renders any forgery impossible. By the security definition, the 
adversary can query the types of oracles: partial signing oracle and resolution 
oracle. Therefore we should describe the two oracles in the following simulation 
according to the forgery types defined above. 

Type 1 forgery: On input {z, e), where 2 G eis a, {1+ l)-bit prime, we 
choose (2/ — 1) primes (ei,i,ei^2) for 1 < z yf j < /, each with length {I + 1)- 
bit. The j-th prime pair is defined by (ejp,e). We compute PK and APK by 
choosing Z\,Z2 G uniformly at random and computing 

„ , _ 2ei_iei,2'"e ,ie ,2 .~2ei_iei,2'"e -i,ie -1,26 ,ie +i,ie +i.2'"e ,ie ,2 

yi ' ^ 



^ -1,1® -1,26 ,ie +l,ie +l,2"-e ^le ^2 
^ ^ ^^'^0ei^ie-i^2-"e ,ie ,2 ei,2 "•e -i,ie -1,26 ,ie +i,ie +i_2'"e .le ,2( — a) 

where a G { 0 , 1 }^“'"^ and /? G Z]\[ are chosen uniformly at random. 

Since the simulator knows each (1 < z < /), therefore it is easy to 
compute the partial signing oracle of message m, (1 < z < /). And it is also 
easy to compute the resolution of z-th message z yf j queried to resolution oracle 
query Res. What we need to show is how to simulate the j-th resolution oracle 
query. This can be done as follows: 
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yj, 2 " 

(e ,ie ,2)^^2t' 2 Hi,... (e,ie,2)^ 

^2ei,iei_2'"e -i,ie -1,26 ,ie +i,ie +i,2'"e _ie ,2 (~a+i' _2 + tt (* ,lll™ )) 

Now we set —a + t' 2 + -ff (tj,i | |mj) = 0, i.e., t'_2 = a — -ff (tj,i||TOj). To show 
that the simulation is not trivial, we should show that t' 2 is uniformly distributed 
over {0, 1}^ with non-negligible amount. Since a G {0, 1}^+^ is chosen uniformly 
at random, the probability that t' 2 belongs to the correct interval and it does 
so with the correct uniform distribution can be computed as follows: 

(2'+i - 1 - + 1 

Suppose the adversary is able to forge a faking signature of message ruk, 
denoted by (fc, efc,i, efc,2, yfc.i> yfe.2), where 6k,2 = 6^,2 and t'j, 2 = t'_2> 

^ ^ j /}• We can not assume that ek,2 = Sj,2, 2 = ^'j,2 Vk,2 = Vj,2 as 

H is a, collision free hash function. Now we have two equations: 

Vk, 2 ^ =Xg/.-g 2 ^^* '^11™ ) 

And 

y,, 2 ‘^ =Xg/.-g 2 ^^Xi\\m ) 

It follows that 

^Vjj^y ,2 _ all"i )-H(t ,i||m ) 

Vk ,2 

_ -1,1^ -1,2® ,1^ +1,1® +l,2'"e ,ie ,i||m ) — H(t ,i||m )) 

where Cj_2 = e. Consequently, one is able to extract the e-th root of z with 
non-negligible probability. It contradicts the standard RSA assumption. 

Type 2 forgery: On input z and e, where z G Z’^, e is a (l-l- I)-bit prime, we 
choose (2/— I) primes (e^^i, 61^2) for I < i ^ j < f. The j-th prime pair is defined 
by (ej_i,e). We compute PK and APK by choosign Zi,Z2 G uniformly at 
random and computing 



^ 2 .^2ei,iei,2"-e _i,ie _i,2e ,ie +i,ie +i,2"-e ,ie ^2 

yi ^ ^ 

^2 2ei lei 2---e _i,ie _i,2e ,ie 26 +i,ie +i,2"-e le o 

92 ^ ’ ’ , , . T , T , , , 

^ a^^2ei,iei,2---e _i,ie _i,2e ,ie ,26 +i,ie +i,2---e ,ie ^2 

where Zi,Z2 G Zat and a G {0, 1}^ are chosen uniformly at random. Since QPjv 
is a cyclic group, we can assume that 51,52 are generators of Qi?iv with over- 
whelming probability. 

Since eiy for 1 < i < / are known therefore, the partial signing oracle is 
perfect from the point views of the adversary. To simulate the f-th message rrii 
(i yf j) to the resolution oracle, we select a random string t' 2 € {0, 1}^ and 
computes: 

y^f =Xg/.^g2^(* al'™ ) 



= ((21 ^ 1,2 ■ - 1,1 - 1,2 ,1 + 1,1 + 1 , 2 - 



,i( ',2- )n ^ 
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The output of resolution oracle is {i, Ci,2, Vi, 2, 2)- 

To sign the j-th message rrij, the signing oracle sets t' 2 ^ ® and computes: 
y^-2^ 'ill™ ,in ^ e ,i« ,2)e ,2 



where Cj^2 = e. 

Let Res{mk) = {k, ek,2,yk,2,t'i. 2) be a legal signature generated by the ad- 
versary of message yf rrii for all 1 < z < /. By the assumption, we know 
that 

z/fc.2" ) 

and 

Consequently, we have the following equation: 

,V]^y ,2 _ g^t' ^ 2 ~t' .lH™ ) , 1 1 1 ™ ) 

Vj,2 

Equivalently, 

^2(a-t' 2)e ,1 n ^ e ,ie .2 _ ,i (-ff (*' ,l 1 1"*- ,i||m )) H ^ e ,ie ,2^e ,2 

Since t'_2 = ct and tk^2 ^ ty2> follows that ct — t'1^2 b. We then apply 
Guillou-Quisquater lemma to extract the e-th root of z. This contradicts the 
standard RSA assumption. 

Type 3 forgery: On input z, where z G Z^, we choose 2 / primes (e^p, 64,2) 
for 1 < z < / and compute the PK and ASK as follows: 

^ ^ 2 ei,iei, 2 ---e ,ie ,2 

and 

92 ^ 9i,X ^ 

where a,b G {1, n^}. 

Since the simulator knows all prime pairs, it follows it can simulate both 
partial signing and resolution queries. Let Res{mk) = {k,ek,2,yk,2,t'k2) be a 
legal signature generated by the adversary of message ruk yf rrii for all 1 < z < /. 
It yields the equation 

Vk,2^ = 

where E = 2 (&-|- 2 + a-ff(tfe.i||?TZfe))eipei,2 • • • e/,ie/,2 

Since we are able to compute the -§-th root of z provided e is a not a divisor 
of E according to the lemma of Guillou and Qusiquater [ 14 ], it is sufficient to 
show that e is not a divisor of E with non-negligible probability. Due to the the 
fact that gcd(e, 61461^2 ••• e/, 16/^2) = 1, it is sufficient to show that e is not a 
divisor of 6-|-t-l-aiL(tfe,i||mfe)) with non-negligible probability. Since b G (l,zz^), 
it follows that one can write b = b'p'q' + h" . Therefore, the probability that 
b + t + aH (m) = Omode is about 1 /e. 
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Security against the co-signer/arbitrator Charlie: Even though the co-signer 
(arbitrator) is semi-trusted, the primary signer does not want this co-signer to 
produce valid signature which the primary signer did not intend on producing. 
In other words, if the co-signer is able to forge a partial signature of a message m, 
then we make use of Charlie as a subroutine to break the strong RSA assumption. 
Since Bob holds the correspondent ASK, therefore we can assume that Bob 
succeeds in forging a valid partial signature with non-negligible probability. The 
simulation is the same as the proof of Zhu’s signature, therefore omitted. 

4 Conclusion 

In this report, we provide the first committed signature from the strong RSA 
assumption based on Zhu’s signature scheme. As the committed signature for- 
malized the same thing as the fair exchange protocol, our scheme is actually 
a fair exchange protocol which is provably secure in the standard complexity 
model. We should admit that the scheme does not quite achieve the consistency 
with Zhu’s signature scheme with a stand-alone signature fully. How to construct 
a compactly specified one is our further research. 
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Appendix: A Formal Proof of Zhu’s Signature Scheme 

Claim: Zhu’s signature scheme is immune to adaptive chosen-message attack 
under the strong RSA assumption and the assumption that H is a collision 
resistant. 

Proof: Assume that the signature scheme is NOT secure against adaptive 
chosen message attack. That is, there is an adversary, who is able to forge the 
signature (e,t,y) of a message m{m yf rrii, 1 < z < /) with non-negligible prob- 
ability after it has queried correspondent signature of each message mi, • ■ ■ ,mf, 
which is chosen adaptively by the adversary. Let (ei, ti, z/i), • • • , (e/, t/, y/) be 
signatures provided by the signing oracle corresponding to a set of messages 
mi, • • • , m/. We consider three types of forgeries: 1) for some 1 < J < /, e = ey 
and t = tj; 2) for some I < j < f, e = ej and t yf tj] 3) for all 1 < j < /, 
e yf €j. We should show that any forgery scheme of the three types will lead 
to a contradiction to the assumptions of the theorem. This renders any forgery 
impossible. 

Type 1-Forger : We consider an adversary who chooses a forgery signature 
such that e = ej for a fixed j : 1 < j < /, where / is the total number of the 
queries to the signing oracle. If the adversary succeeds in a signature forgery 
as typel with non-negligible probability then given n, we are able to compute 
2 ^/’’ with non-negligible probability, where r is a (? -I- l)-bit prime. This con- 
tradicts to the assumed hardness of the standard RSA problem. We state the 
attack in details as follows: given z G Z* and r, we choose a set of total / — 1 
primes with length (Z -|- l)-bit Ci, ...ey_i, Cj+i, ..., e/ uniformly at random. We 
then create the correspondent public key (X,g,h) of the simulator as follows: 
given z G and r, we choose a set of total / — 1 primes with length {I + l)-bit 
Cl, ...ey_i, ey+i, ..., e/ uniformly at random. We choose w,v G Z„ uniformly at 
random, and compute h = -le +i...e ^ ^ _ ^2ei - e ^2ei...e _ie +1...6 
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X = r(;2/3ei 'e ^ 2 ei...e _ie +i...e {-a) ^ where a £ {0, 1}*+^ and j3 £ Zn are chosen 
uniformly at random. 

Since the simulator knows each e^, therefore it is easy to compute the 1-th 
signing query. What we need to show is how to simulate the j-th signing query. 
This can be done as follows: 

= Xg* ^ = {w^V* ^2ei...e _ie +i...e {-a+t +H{m )) 

Now we set —a + tj + H{mj) = 0, i.e, tj = a — H{nij). 

To show the simulation above is non-trivial, we should show ti is uniformly 
distributed over {0, 1}^ with non-negligible amount. Since a £ {0, 1}^+^ is chosen 
uniformly at random, i.e., 0 < a < 2*+^ — 1, the probability tj belongs to the 
correct interval and it does so with the correct uniform distribution can be 
computed as follows: 

(2^+1 - 1 - -2‘ + l) + H{m,) 

Suppose the adversary is able to forge a faking signature of message m, 
denoted by {e,y,t), such that Cj = e(= r), tj = t. Notice that one can not 
assume that Cj = e, tj = t and yj = y, since H is a, collision free hash function. 
Now we have two equations: = Xg^h^^”^ '> and = Xg^h^^'^K Consequently, 

we obtain the equation: 

^2ei,...e -i,e +i,...,e (H(m ) — 

^ y 

It follows that one can extract the e-th root of 2 with non-negligible probabil- 
ity. Therefore, we arrive at the contradiction of the standard hardness of RSA 
assumption. 

Type 2-Forger: We consider an adversary who succeed in forging a valid 
signature such that e = Cj, t ^ Cj for a fixed j: 1 < J < /, where / is the 
total number of the queries to the signing oracle. If the adversary succeeds in 
a signature forgery as typel with non-negligible probability then given n, we 
are able to compute with non-negligible probability for a given z and r, 
where r is a (Z -I- l)-bit prime. This contradicts to the assumed hardness of 
the standard RSA problem. We state the attack in details as follows: given 
z £ Z* and r, we choose a set of total / — 1 primes with length {I + l)-bit 
Cl, ...Cj-i, Cj+i, ..., 6/ at random. We then create the correspondent public key 
(X,g,h) of the simulated signature scheme as follows: g = - e -le +i...e ^ 

h = and X = ^-“y;2ei...e ^ -^^iiere w,v £ Z„ and a is a Z-bit random 

string. Since QRn is a cyclic group, we can assume that g, h are generators of 
QRn with overwhelming probability. To sign the i-th message mi{i yf j), the 
signing oracle selects a random string ti £ {0, 1}*, and computes: 

j/j® = )^2ei...e _ie +i...e ^2(t -a)n ^ ^ e y 
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The output of the signing oracle is a signature of message rru, denoted by 

To sign the j-th message mj, the signing oracle, sets tj ^ a and computes: 
y/ = ))2^ ^ « y 

The output of the signing oracle is a signature of message mj, denoted by 
a{mj) = 

Let (j(m) = (e, y, t) be a valid signature forged by the adversary of message 
m. By assumption, we know that j/® = Consequently, we have the 

following equation: 

5 * '>yy = 

Equivalently 

y{a-t)n ^ e _ ))I1 ^ e V 

Vj 

Since tj = a and t y tj by assumption, it follows that t y a. We then apply 
Guillou-Quisquater lemma to extract the r-th root of z, where r = Cj. 

Type 3-Forger: We consider the third type of the attack: the adversary 
forgery is that for all 1 < j < /, e Cj. If the adversary succeeds in forgery 
with non-negligible probability, then given n, a random z G Z*, we are able to 
compute (d > 1 ) with non-negligible probability, which contradicts to the 
assumed hardness of strong RSA assumption. We state our attack in details as 
follows: we generate g and h with the help of z. We define g = 2 ^®“^ and 
h = g°“ , where a € (l,n^), is a random element. We can assume that g is a 
generator of QR„ with overwhelming probability. Finally, we define X = g^, 
where b G (l,n^). Since the simulator knows the all Cj, the signature oracle 
can be perfectly simulated. Let (e, t, y) be a forgery signature of message m. It 
yields the equation y® = Xg*h^^"^^ = z^, where E = {b + t + aH{m))2e\...ef . 
Since we are able to compute (e/E)-th root of z provided e is a not a divisor 
of E according to the lemma of Guillou and Qusiquater, it is sufficient to show 
that e is not a divisor of E with non-negligible probability. Due to the the 
fact that gcd(e, 6162 • • • e/) = 1 , it is sufficient to show that e is not a divisor of 
b+t+aE[{m) with non-negligible probability. Since 6 G (1, n^), it follows that one 
can write b = b'p'q' + b" . Therefore, the probability that b + t + aEl{m) = Omode 
is about 1 /e. 
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Abstract. A group key agreement protocol allows a set of users, com- 
municating over a public network, to agree on a private session key. 
Most of the schemes proposed so far require a linear number (with re- 
spect to the number of participants) of communication rounds to se- 
curely achieve this goal. In this paper we propose a new constant-round 
group key exchange protocol that provides efficiency and privacy under 
the Decisional Diffie-Hellman assumption. Our construction is practical, 
conceptually simple and it is obtained by taking advantage of the prop- 
erties of the El-Gamal encryption scheme combined with standard secret 
sharing techniques. 



1 Introduction 

Group key agreement protocols allow several parties to come up with a common 
secret from which a session key can be derived. Hence, these protocols are likely 
to be used in numerous group-oriented scenarios, such as video conferencing, 
collaborative applications, secure replicated database, in order to achieve secure 
multicasting network layer among the parties. Typically, the parties hold some 
long-term keys that enable them to communicate privately from point to point, 
or to authenticate messages. Another setting considers password-based authen- 
tication, which we are not dealing with in this paper. The final goal of group 
key exchange protocols is to efficiently implement “secure” multicast channels. 
In order to specify what “efficiently” and “secure” mean, one may consider some 
desirable properties for a group key agreement protocol. Efficiency, while not 
measuring security, is to be considered as a crucial property when designing 
key agreement protocols and it is quantified as the number of communication 
rounds, as well as the space and computing resources required to agree on the 
final key. Indeed, limiting the number of rounds can be of prime importance in 
many real-life applications. Consider for example the case of a group where some 
(or all the) participants have a slow network connection. In such a situation the 
efficiency of the entire protocol can be severely degraded even if the “slow guys” 

* Extended abstract. A full version of this paper can be found at www.di.ens.fr/ 
“catalano. 
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constitute a very small minority of the group. Other scenarios where reducing 
the number of rounds is important are all those applications where many players 
are involved, or where many keys have to be exchanged. 

Combining efficiency and security is not a trivial task. One of the most basic 
security property that is required to a group key agreement protocol is the so- 
called contributory: all the parties are ensured to properly contribute to the final 
secret value and to its distribution — in other words, no party should be able to 
impose the value of the session key which should be uniformly distributed over 
the session key space. On top of that a key agreement scheme should guarantee 
some privacy property for final session key, i.e. that no eavesdropper should be 
able to gain information (at least in some computational sense) about the key 
after having seen the messages exchanged between the parties being involved 
in the protocol. In general, however, a group key agreement should preserve 
privacy even in the case on which the network is under control of some malicious 
adversary that may try to modify any message sent among the players. Thus 
the main features we would like to find in a Group Key Agreement scheme 
are security and efficiency, in the presence of an active adversary. The typical 
approach to the problem [1,5, 8, 9] requires some data to go through the complete 
set of parties, which by sequentially adding some private contribution, “build” 
the actual key in a linear number of rounds of communication. The main problem 
with this approach is, of course, that it may lead to very slow protocols. To 
improve on communication complexity the natural solution is to try to devise a 
scheme that allows for simultaneous sending of contributions. 

So, at the very end, the basic problem of group key agreement can be sim- 
plified as follows: we want a set of players to agree on some random value that 
they will later, privately, reconstruct to use as shared key. Written in this way 
the problem seems to be quite similar to the standard multi-party computation 
goal where a group of players wants to compute the output of a public function 
when the input is shared among the participants. There is a crucial difference 
however: in the multi-party computation setting the output of the function is, 
in general, kept shared and may be publicly reconstructed if some conditions are 
met. In the group key agreement setting, on the other hand, we want the players 
to be able to privately reconstruct the secret. In other words, the goal of the key 
agreement is to establish a random value that at the end of the protocol should 
be disclosed to the players only. In this paper we basically combine standard 
secret sharing techniques [30] with the use of El-Gamal cryptosystem [20] to 
make this goal possible. 

Related work — Some formal models for studying security of the session key 
were initiated by Bellare and Rogaway [5,6] and further refined by Blake- Wilson 
et al. [7,8]. Another formal model is based on the multi-party simulatability 
technique and was initiated by Bellare, Ganetti and Krawczyk [2], and refined 
by Shoup [31]. Some classical examples of group key agreement protocols deal- 
ing with privacy are the generalizations of the original Diffie-Hellman paper [16], 
whose first proposals can be traced back to Ingemarsson et al. [23]. Some more 
sophisticated schemes [10,32] rely on the so-called group Diffie-Hellman assump- 
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tions, for which some reductions can be found in [11], while others are based on 
more heuristic, quite non-standard^ assumptions [18]. Let us also mention some 
proposed schemes that are based on elliptic curve cryptography: Joux [24] pro- 
posed a single round method for 3-party Diffie-Hellman key agreement using 
pairings. However, a generalization based on multi-linear forms is still an open 
problem [19]. 

As we said, a major issue of such protocols consists in efficiency, and this is 
especially true when considering large groups or dynamic peer group key agree- 
ment. Some protocols offering provable security have been recently analyzed by 
Bresson et al. [9, 10]; they are essentially derived from an article by Steiner et 
al. [32]. However they require a linear number of communication rounds. In [12], 
Burmester and Desmedt proposed a very efficient, elegant protocol that needs 
only two rounds (three rounds when considering the confirmation step). The 
main advantage of constant round protocols is that the impact of “slow guys” 
is reduced, in the sense that 1 or several slow connections have essentially the 
same impact on efficiency. Burmester and Desmedt provide a security proof that 
reduces the privacy (one-wayness) of the session key to the (computational) 
Diffie-Hellman problem. However no proof of security (in the stronger sense of 
semantic security [22]) is provided in the original paper. Only recently, Katz and 
Yung [25] proposed a more general framework that provides a formal proof of 
security for this protocol, based on the DDH assumption. An interesting con- 
tribution of their paper is a scalable compiler that transforms any group key 
exchange protocol secure against a passive adversary into one that is secure 
against an active adversary, controlling the network. 

In 1999, Li and Pieprzyk [26] proposed a key agreement protocol based on 
secret sharing techniques. They use the well-known polynomial secret sharing a 
la Shamir [30] to reconstruct a session key. While their work leads to a constant- 
round protocol and may appear quite similar to ours, it is actually less efficient. 
First of all they adopt an {n+ l)-out-of-2n sharing scheme and need to resort to 
secure channel to guarantee secrecy. In our case, on the other hand, we can use 
an n-out-of-n secret sharing scheme and no additional assumption is required. 
Furthermore in [26] to recover the secret the parties are required to perform 
Lagrange interpolation on the exponents. We emphasize that working in the ex- 
ponents implies a relatively inefficient scheme, requiring 0(3n) exponentiations 
per player. 

Our contributions — In this work, we propose a constant round key exchange 
protocol, based on secret sharing techniques, and using an asynchronous network. 
Our scheme is very efficient in terms of communication between the players (only 
two rounds of communications — plus a confirmation additional round — are 
required) and provides security (even with respect to parallel executions) under 
the well known Decisional Diffie-Hellman assumption. As noted above, only very 
few schemes proposed so far offer both authentication and privacy under stan- 
dard assumptions [10,25]. We emphasize that our solution achieves comparable 

® These assumptions make use of “multiple-decker” exponents, and are not easily 
related to DH. 
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bandwidth (in terms of the number of total bit per player exchanged) with re- 
spect to all previously proposed schemes. Also, if preprocessing is possible our 
protocol requires only - roughly - 2 exponentiations per player. Moreover we 
believe that our proposal allows for a more general approach to the problem. 
Indeed almost all previously suggested solutions are somehow generalizations 
of the basic Diffie-Hellman key exchange protocol [16], and thus are inherently 
related to the underlying (computational or decisional) assumptions. Finding 
alternative to existing solutions is not only a common practice in cryptography 
but a line of research of fundamental importance in practice. In this sense, in 
our case, the reduction to the decisional Diffie-Hellman assumption comes solely 
from the fact that we are adopting the El Gamal cryptosystem as underlying 
encryption primitive (to take advantage, in terms of efficiency, of its nice prop- 
erties). However, we stress here, that up to some loss in efficiency, it remains 
possible to successfully implement our protocol using a different semantically se- 
cure cryptosystem, relying on alternative intractability assumptions. One could 
even imagine a scheme in which the data are encrypted point-to-point using a 
symmetric encryption scheme (the drawback being there the number of secret 
keys). 

2 The Model 

Players and network — We consider a network of n players P\, . .. , P„, 
that are connected by point-to-point channels. We assume that each channel 
can be authenticated by the use of an underlying secure signature scheme. Thus, 
as already said, we consider an existing PKI and do not deal with password- 
authentication. We are based on an asynchronous network, in which messages 
can be delivered in arbitrary order. Moreover, and unless explicitly mentioned, 
we assume that each player can send several messages at the same time (multi- 
send property); this does not imply that all receivers will get the same message 
(broadcast). By saying that player A sends a message privately to B we intend 
A sending an encrypted message (with respect to B’s public key) to B. 

Adversary — The network is likely to be faulty, that is, not reliable because of 
attacks. To take into account such attacks, including those by “malicious” adver- 
saries, we consider an active adversary A that has full control over the network. 
In particular we model this adversary as able to read, delete, and modify any 
message sent on the network. We stress that, as in previously proposed schemes, 
A does not have any control on the players themselves, and in particular, can 
not read their private memory^. 

Rushing attacks — We will assume that no player significantly deviates from 
the protocol, however we enable some players (but not all of them) to choose 
their contribution to the key according to some arbitrarily biased distribution 

^ More precisely, A cannot access the storage of the session key; when considering 
forward- secrecy, one may consider that A partially corrupts the private memory of 
a player, and gets the long-term key. 
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(however we assume the adversary does not have any knowledge of such bias). 
Note that this allows for some player to adopt a rushing behavior by which 
he waits to receive the messages of the remaining parties (in a given round of 
communication) before sending his own. We stress, however, that this does not 
mean that rushing players do not follow the intructions nor that they follow 
instructions in a different order; it just means they choose their nonces non- 
uniformly, and if possible after the others. Moreover, we will assume that at 
least one player is completely honest. 

Security notions — Our goal is to provide protocols allowing a pool of players 
to jointly agree on a common secret session key, in a presence of a malicious 
adversary (which includes the framework of a faulty network). We consider the 
following security notions, most of them are defined in [1]. 

Completeness means that, if the adversary is completely passive, the protocol 
terminates with each player holding a session key, which is the same for all of 
them. 

Privacy means that whatever the adversary does, it cannot gain any infor- 
mation about the session key, if such a key is set (that is, if the protocol does 
not abort). In particular, it means that nobody outside of the group is able to 
compute the session key {implicit authentication). 

Contributory means that each player is ensured to contribute equally to the 
final value of the key, and in particular, nobody can bias the distribution of the 
key. 

Confirmation property encompasses the fact that a given player can be en- 
sured a message has been delivered to other players. However, note that the 
receiver is not ensured that its confirmation has been delivered to the sender 
(unless using a confirmation again, which leads to infinite recursion). Such a 
network model thus needs to use time-out methods to abort a protocol if needed. 
Confirmations are used to achieve explicit authentication, by which every player 
has proof the group holds the same key. 

Notations — Let £ be a security parameter. In the following we denote with 
N the set of natural integers and with R+ the set of positive real numbers. We 
say that a function negl : N ^ K"*" is negligible if for every polynomial p{t) there 
exists a £o C N s.t. for all £ > £q, negl(£) < l/p(£). For a, 6 G N we write a\b 
if a divides b. If A is a set, then a ^ A indicates the process of selecting a 
at random and uniformly over A (which in particular assumes that A can be 
sampled efficiently). 



2.1 The Formal Model 

Players — We consider multiple, potentially parallel executions of the protocol; 
each player involved in the group has thus many instances, also called oracles 
running parallel sessions. The instances are seen as processes running on a given 
machine: some data (long-term key, public parameters) are shared, some data are 
specific to a process (eg, the session key). We assume that all signed messages 
are headed with sessions IDs, which uniquely identify each parallel run. We 
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denote by skj the session key computed by player Pi in session whose ID is t. 
We consider a group of players whose membership is fixed, ie, there is no “Join” 
or “Remove” manipulations. 

Adversarial capabilities — The adversary A is formalized through several 
queries describing possible interactions with oracles. Following [9], we define 
four types of queries: the Send-query is used to send arbitrary messages to an 
oracle; the Reveal-query is used to deal with known-key attacks, by revealing to 
A the session sk\ key hold by an oracle; the Corrupt-query leaks the long-term 
data Li and allows to consider forward-secrecy; finally the Test-query is used 
to model the semantic security: it returns either the session key, or a random 
string, A being to guess which of the two cases. 

Necessary conditions — A few straightforward conditions must be satisfied 
in order to properly use this model. These conditions are used in [1,9] to define 
the Freshness of a session key. First, a Reveal-query makes sense only if an oracle 
has already accepted a session key. Second a Test-query can be asked only once 
in the entire attack. Third, a Test-query must be asked before any Corrupt-query 
(asked to the Test-ed oracle or not). Four, a Test-query cannot be asked on a 
session for which some oracles have accepted and have been Reveal-ed. The last 
three requirements ensure that the Test makes sense, that is, the session key is 
not “obviously” known by the adversary through basic means. 

Definitions — We say that A disrupts an (instance of) player if it does not 
honestly relay the messages sent by this oracle (i.e., A is an active adversary 
generating faults on the network), but is still unable to access this player’s in- 
ternal data. When dealing with forward-secrecy, we say that A corrupts a player 
if it can get his long-term key. We denote Li the long-term key used by player 

P^. 

We say that a Group Key Agreement Protocol, is secure if for any adversary 
A controlling the network the following four conditions are met. 

Completeness: If A does not disrupt any oracle in a session t, then at the end 
of the protocol, there exists sk* (which is efficiently computable) such that 
for alH G {1, . . . , n} we have sk^ = sk*. 

Contributory (uniformity): If A does not disrupt any oracle in a session, 
then sk is uniformly distributed in the key space 1C. 

Privacy: We formalize this property as follows. Let ,8 be a challenger facing 
the adversary and that runs the protocol, controlling all the players involved 
in the key exchange protocol being attacked. Let be the corresponding 
session key computed by the members. On a Test-query, B chooses a ran- 
dom string kq in the key space 1C. Then it gives to the adversary either kq 
or Ki (with equal probability). When terminating its attack, A should out- 
put a “guess” for the hidden bit b. We say that the protocol establishes a 
private session key sk if there exists a negligible function negl such that for 
sufficiently large £, we have: 



Adv(A) = 2 Pr 



A(y, Kb) = b 



Kq ^ 1C] K\ = sk 



negl(f) 
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Assumption 1 (DDH Assumption) Letp and q two primes such that |g| = I 
and q\p — 1 and g an element of order q in Z*. Let Q = {g). There exists a 
negligible function negl such that for sufficiently large £, for any probabilistic 
polynomial-time distinguisher A, we have: 



Adv^^'^(A) = 



Pr [A{g,g- 



^gy,g-y) = l]- Pr [Z\(g, = 1] 

x,y,z 



= negl(£) 



Informally this assumption states that given the two elements X = g^ mod p 
and Y = gy mod p the value Z = g^y mod p is indistinguishable from a random 
one in Q (see [22] for a definition of computational indistinguishability) . 



3 The Proposed Scheme 

We start with an informal description of our protocol. The goal here is to high- 
light the main ideas underlying our construction without going too much into 
technical details. 

Overview of the protocol ~ We will assume that each player Pi holds a pair 
of matching private/public key {xi,hi), where hi = g^ mod p. We denote by 
Cij{m, a) an El-Gamal encryption of a message m under key hj, using random 
a. Intuitively can be seen as an encrypted message sent from player Pi to 
player Pj. 

The proposed protocol goes as follows. Every player Pi uniformly chooses a 
random value Oi as his own contribution to the key exchange protocol and a 
randomizer pad ri. Pi proceeds by encrypting Oj, under the public key of every 
remaining player, and sends the ciphertext Cij to player Pj. Moreover Pi ran- 
domly chooses a polynomial fi{z) of degree n — 1 in Z* such that /i(0) = and 
sends to player Pj the value fi{j). Once this first stage is over every player Pj 
sums the received /i(j) and multiplies the received ciphertexts (that is, corre- 
sponding to all indices but its own). Let us call Cj the resulting product and 
let Sj be the plaintext corresponding to Cj. Note that, because of the homomor- 
phic properties of the El-Gamal encryption scheme, the quantity Sj • Oj mod p, 
is exactly a = Oi • • • o„ mod p, and, of course, it is the same for all the players 
involved in the protocol. Similarly the quantity f(i), obtained by summing up 
all the fj{i)’s, will be a share of a unique polynomial f{z) such that /(O) = r 
where r = ri mod q. So to conclude the protocol the parties compute 

r, by interpolating f{z) over Z* and set their session key sk = a • g^ . 

Dealing with rushing scenarios — One may wonder why we need to dis- 
tribute encryptions of Oi, shares of and then define the session key as sk = 
n”=i mod p rather than simply distribute encryptions of Oi and set the 

final key as sk = Ilfci mod p. As a matter of fact, this second solution may be 
possible in a non-rushing scenario where all the parties are assumed to maintain 
a completely honest behavior, and using un-biaised pseudo-random generators. 
In our case, as sketched in section 2 a player may decide to choose his contri- 
bution after having received all those of the remaining parties. Thus he could. 
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Authenticated Group Key Agreement Protocol 
Public Parameters: Two primes p,q such that q\p — 1. A subgroup Q = (g) of 
order q. An hash function Ti. modeled as a random oracle, and JT> be the current 
session ID. 

Public inputs: The players’public keys hi, for i = 1, . . . ,n. 

Private input (for player i): A value Xi such that hi — mod p. 

In a preprocessing stage player Pi runs a signature generation algorithm SigGen to 
obtain a couple of matching signing and verification keys {SKi, VKi). 

First Round — Each player Pi does the following: 

1. Choose Ui ^ Q 

2. Choose n, . . . , ^ Zq. 

3. Define fi{z) = n + bi^iz + . . . + bi,n-iz"~^ mod q 

4. For each j = 1 .. .n {j ^ i) 

Choose k ^ Zq and set Cij = (Aij,Bij) = modp, modp). 

5. Send to player Pj the values Cij, fi{j) and aij =Signg/f {Cij\\fi{j)\\TV). 

Second Round — Once having received all the values above each player Pi does 
the following: (if Pi receives less than n — 1 triplets {Cj^i, fj{i),aj^i) he aborts 
the protocol) 

1. Check the authentication (signature) of all received values. If the check fails 
the player aborts the protocol. 

2. Multiply the received ciphertexts: let Ai = mod p and Bi = ai ■ 

Ylj^iBpi modp. 

3. Decrypt the result to define the value U(i) = BijA^ . 

4. Compute 

fi = fi{i) + ^ fj (*) mod q 

as his share of a (n — l)-degree polynomial f{z) whose free term we indicate 
with r. 

5. Send to other players the values fi and u>i =SignsK {fi\\PP). 

Third Round — 

1. The players interpolate f{z) and retrieve r. 

2. Player Pi defines its session seed as 

sk(i) = a^i-, ■ p'’ mod p. 

Confirmation Step: Compute Si = T~L{sk(i) \ \PP) and broadcast this value together 
with its signature 7 i =SignsK {siHTV). 

If the n broadcasted values are all the same, set the final key as 

sk = H{sk(^i)) 

Fig. 1. Pseudo-code description for the Group Key Agreement Protocol 
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arbitrarily, set the value for the final key. In order to avoid such a situation, in 
our protocol we distinguish two stages: during the first one every player sends 
encryptions of and waits for all the other guys to do the same. Then, once 
he has received all the shares he proceeds to the second stage by disclosing his 
f{i). Such such a two round separation has the effect of forcing the players to 
choose their without having any clue (in a strong information-theoretic sense) 
about the r^’s chosen by the remaining players. In this way the produced key 
is uniformly distributed if at least one of the players chooses his contributions 
uniformly and at random (and we stress that in our model we assume that at 
least one player mantains a fully honest behavior). 

In practice, we implement this idea by assuming the second round starts 
when each player has received all the n — 1 contributions from the remaining 
parties. The underlying intuition is that if a player has received n — 1 ciphertexts, 
then he can safely start the second round, because he is ensured that every other 
party has already chosen his own share. Interestingly this approach allows for 
some modularity in error detection. Indeed, if at least one player aborted after 
round one (for instance, because he did not correctly receive all the expected 
ciphertexts) such a situation can be efficiently detected in round two as follows. 
If after round one some party aborted (i.e. quit) the protocol then the remaining 
players cannot reconstruct the polynomial /(•) — simply because not enough 
shares are available — and the protocol can be immediately aborted. On the 
other hand the fact of receiving all the expected shares in round two, can be seen 
as a “so far, so good” guarantee: if a player sends his share of the polynomial, 
it means that he must have been happy with what he has received so far. 

Disclosing the polynomial’s shares — We notice that in the first round 
(step 5), a player can safely send his “own” shares fi{j) (the shares for his 
private polynomial fi), without encrypting them, since this does not reveal any 
information at all about his randomizer Vi = /i(0): in fact the value fi{i) is never 
disclosed at any time. Moreover, and for the same reason, it is important to note 
that the entire transcript of the first round does not reveal anything about the 
“global” shares f{i) neither. More precisely, recall that the “global” share for 
player Pi (i.e., his share of /(•)) is defined as f{i) = J2j=i /i(*)> but only the 
values are disclosed. Thus, until the second round, step 5, all “global” 

shares /(z) are still information-theoretically hidden to the adversary, and each 
player Pi knows exactly /(z), that is, no more at all about other f{j)’s. During 
the second round, the shares will be disclosed (keep in mind that is done once 
the contributions a^’s have been received by each player). 

Key confirmatory — There remains one final problem to discuss in our proto- 
col, because of which we yet need a confirmation step at the very end of round 
two. Actually, to be sure that all parties correctly recover the session key, we use 
the following technique, known as key confirmatory, that allows each player to 
check that the remaining participants have computed the key. This additional 
confirmation step makes use of an asynchronous broadcast, which means that 
we need to assume that the network is equipped with such primitive. Using a 
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broadcast, either everybody received the confirmation messages, or nobody did 
and the protocol aborts. 

We can obtain the key confirmatory property by having each player comput- 
ing and broadcasting an additional value to other players. Every player sends 
a “receipt” which is computed from the session key, thus playing the role of an 
authenticator. The technique is described with more details in [9] and requires 
the assumption of random oracle® in order for the authenticator not to leak any 
information about the session key. In particular, such an authenticator, should 
not be computed directly from the final session key, but rather from an inter- 
mediate common secret (otherwise, an eavesdropper would be able to gain some 
partial information about sk — for instance the hash of sk — and to distinguish 
it from a random string). 



4 Security of the Scheme 

In this section we prove the following security theorem. 

Theorem 1. The protocol presented in figure 1 is a secure Authenticated Group 
Key Agreement protocol, achieving completeness, contributory and privacy (un- 
der the DDH assumption) . 

Completeness — Obvious by inspection. 

Privacy — We consider a simulator S that emulates the protocol to the adver- 
sary in such way that the simulation is indistinguishable from the real attack. 
Formally the simulator goes as follows. It receives as input a triplet {X,Y,Z), 
for which it has to decide whether it is a Diffie-Hellman triplet or not. Let Q 
be the total number of interactions the adversary is likely to make. S starts by 
choosing at random an integer qg in [1, Q], hoping the go“th interaction will be 
the attacked session. Then it chooses uniformly and at random an index zq in 
[l,n]. After that, it initializes the protocol by choosing n random exponents 
through It sets the public key hi = Y g^ mod p for every player Pi. Finally 
it gives g and all the hfs to the adversary A, as the public input of the protocol. 

To take into account the rushing scenarios, we consider two different pseudo- 
random generators TZ and TZ* , assuming the latter is biased. In particular, TZ* , 
when called by a player, takes as input all previous data used by this player. We 
denote, to formalize our simulation, by TZj the pseudo-random generator used 
by Pj, and we set TZig = TZ and TZj = TZ* for all j yf zq. 

Then (for each parallel sessions), the simulator S simulates the players in 
the first round as follows. On receiving a Send(C/j, start)-query, the simulator 
chooses a secret contribution aj and n coefficients rj, (bj^k)i<k<n-i, using the 
pseudo-random generator TZj . The ciphertexts in step 4 are computed straight- 
forwardly, except if j = Zq and q = go . In that later case, the simulator chooses 

® Actually the random oracle is considered for efficiency reasons only and it is not 
necessary for the [9] technique to work. In particular the random oracle can be 
replaced by a pseudo-random function [21]. 
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(uniformly) n — 1 random values pj (for j = 1, . . . , n but j yf to) and computes 
= XgP and Bi^j = ZY^ gP ^ Uig as an encryption of aig. The query 
is answered with the n — 1 (signed) flows to be sent to others. 

The second round starts (for player Uj) after having received n — 1 queries, 
from n — 1 other players (within a given concurrent session). Before that, the 
simulator just stores the received flows. The simulator checks the authenticity of 
the received flows, then defines oq) as the product of all a^. Note, in particular, 
S does not perform the multiplication of ciphertexts (step 2) , nor the decryption 
(step 3), since it does not know the private key Xj = log^ hj. Steps 4 and 5 of 
round 2 are performed straightforwardly, and the query is finally answered by 
fj, together with its signature. 

Round 3 is simulated as in the real protocol. The confirmation step is pro- 
cessed straightforwardly. After the third Round, a Reveal-query is answered 
straightforwardly, except if asked to Uig within the go-session. In that case S 
aborts. 

If the Test-query does not occur within the go-th session, the simulator aborts. 
This happens with probability at most (Q — 1)/Q. Otherwise, it is processed as 
follows. Let K, = a ■ g'' = n"=i ' 9^ '' ■ When the Test-query occurs, the 

simulator flips a private coin (3 and set Kq ^ 1C, Ki = k, where K. is the session 
key space (and in our case 1C = Q). Then it gives up to the adversary. The 
interaction might continue then; at the end of the attack, the adversary answers 
with a bit 6', that the simulator relays back as its own guess. The theorem then 
follows immediately from the following two claims. 

Claim 1 If the simulator’s input is a Diffie- Heilman triplet (that is b = 1) the 
adversary’s view is perfectly indistinguishable from the real protocol. 

It is easy to see that, in this case, the simulation is perfectly identical to the 
real protocol with player Pi using private contribution Oi, and thus the value k 
is actually the session key sk. This means that an infinitely powerful adversary, 
which would be able to recover all plaintexts, would necessarily lead to sk = k. 
Indeed, the secret key of player Pj is implicitly y + f.j, where y = log^ Y. And 
any ciphertext Cigj is an honest encryption of Oig, using randomness x + pj, 
where x = log^ X. Of course, any other Cij is an encryption of Oi under public 
key hj. 

Then we have (^v denotes the adversary together with its view): 

Pr [Av{np) = l|/3 = 1 A & = 1] = Pr \Av{K.p) = l \ (3 = 1 /\ k\ = sk] 

= Pr [A\;{ki) = 1 I ACi = s/c] (1) 

Pt[Av{kp) = 1\(3 = 0 A & = 1] = Pr [Av{Kp) = l|/3 = 0A/co^/C] 

= Pr [^v(ko) = 1 I 'to ^ (2) 

Then using the fact that Pr[/3 = 1] = Pr[/3 = 0] = 1/2, we have: 

Pr [Av{kp) = 1|6 = 1] = i Pr [Av{ki) = IjAti = sk] + ^ Pr [^v('to) = l|'to ^ 1C] 
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Claim 2 If the simulator’s input is a random triplet (that is b = 0) the adver- 
sary ’s view is independent from Oig . 



In such a case, all the values are correctly computed, except that the cipher- 
texts Cigj encrypt random values. More precisely, the value computationally 
hidden in Cigj under public key hj = Y is (implicitly): 






ZYP gP i a,g 
{XgP )^+« 



gZ + VP -|-£C{ +P 5 



where z = log^ Z. Note that this value does not depend from the index j of 
the receiver. This is due to the fact we use the additive random self-reducibility 
property of the Diffie-Hellman problem. 

Consequently, the plaintext that an infinitely powerful adversary would re- 
cover by decrypting all the ciphertexts is (for any j)\ life = 

g^~^Va(^jy, thus, the adversary learns no information at all about when 
eavesdropping the messages. According to adversary’s view, the session key sk 
associated to this simulated execution of the protocol is thus 



a-5^ =g^-^ya-gY 



On the other hand, the simulation makes all players setting their key to oq) . 
Then, the value “recovered” (according to the simulation) by every player Pi, 
including Pig, is k\ = ag’'; moreover Oig and, thus k\, is uniformly distributed 
over Q, exactly as kq is. Consequently, the value of j3 is information-theoretically 
hidden to A. 



Pr [Av(k/3) = 1|& = 0] = i Pr [Av(ki) = 1|ki ^ /C] -f ^ Pr [Av(ko) = 1|ko ^ A] 
By subtraction, we get: 

Adv^^'^(5) = Pr [h' = l\h = 1] - Pr [U = 1|6 = 0] 

= Pr [Avinp) = l\h = 1] — Pr [Avinp) = l\h = 0] 

= - ^Pr Av(ki) = \ k\ = sk — Pr Av(ki) = 1 n\ ^ JC ) + 

Adv(A) 

“ 2 

Assuming the DDH assumption, this quantity is a negligible amount. 

In fact, we have conditioned by the fact the Test-query has been correctly 
guessed, so we must divide by 1/Q. 

Contributory — Contributory trivially follows from the fact that every player 
is forced to choose his share Oi having no information at all (in an information 
theoretic sense!) about the actual value of the randomizer r. 
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5 Comments, Optimizations, and Variants 

Efficiency of the protocol — Our protocol is very efficient both in terms 
of bandwidth and in term of number of rounds required. The number of bits 
sent by each player is bounded by 3|p|n plus n + 2 times the size of the em- 
ployed signature scheme (used for the authentication). The protocol requires 
2 rounds of communication, one asynchronous broadcast for the confirmation 
step and roughly 2n exponentiations per player (plus the cost of computing the 
signatures). If precomputations are possible (in a context where, for example, 
the participants public keys are all known in advance), all the exponentiations 
in Round 1 can be done off-line and the number of total exponentiations (per 
player) reduces to 2 (plus the cost of the signatures, and the cost of multiplying 
the received ciphertexts of course). To our knowledge, in this case (and for this 
specific aspect) our scheme is one of the most efficient group key agreement so- 
lutions known. Moreover, being a constant round protocol, it has the property 
that the number of “slow guys” is not a major efficiency issue. Indeed, a n round 
protocol is like a token ring network: a player does its work then passes the to- 
ken to the next one; hence the delays induced by slow parties go cumulating. 
In our case, everybody works in parallel so we have the same delay whatever 
the number of slow guys is (more precisely, the delay is essentially that of the 
slowest guy). 

Considering forward-secrecy — The forward-secrecy property [29, 17, 10] 
encompasses that the privacy (semantic security) of the session key is not com- 
promised even in case of a further leakage of the long-term El-Gamal key. In 
other words, if the adversary learns a private key Xi at some time, then the 
knowledge of Xi, as well as the view of previous session key establishments, does 
not help him to get information about these previously established session keys. 
We state informally that our protocol provides forward-secrecy if at most one 
private key, say x\, is revealed. Indeed, if an adversary A knows x\, it can decrypt 
all ciphertexts sent to P\, thus learning all contributions 02,..., a„. However, 
Pi’s contribution, namely ai, is never encrypted under hi = and then, re- 
mains (computationally) hidden to A, and so does the session key. In order to 
cover larger scenarios, we have to consider forward-secure public-key encryption 
schemes [14]. 

Resistance to known-key attacks — A key exchange protocol is said to 
be resistant to known-key attacks [32] if the exposure of a session key gives no 
advantage to an adversary for breaking the privacy of future session keys. This 
property takes some importance in dynamic groups, in which future session keys 
are computed from private data among which is the current session key. Our 
protocol trivially provides resistance to such attacks, since all values are one- 
time used and picked (“fresh”) at the beginning of a key exchange. 

A General Solution — Up to some loss in efficiency it is possible to gener- 
alize our construction in order to obtain a constant round authenticated group 
key agreement scheme provably secure under the sole assumption that trapdoor 
functions exist (indeed, this assumption ensures that a semantically secure en- 
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cryption scheme and a secure signature scheme exist). Details will appear in the 
final version of this paper. 

6 Conclusions 

In this paper we presented a new protocol that achieves strong properties of 
efficiency and security under standard assumptions. The protocol is efficient 
both in communication rounds and in bandwidth: the number of communication 
rounds is constant, and the bandwidth is comparable with that of previously 
proposed schemes. Our scheme is provably secure under the Decisional Diffie- 
Hellman assumption, and enjoys several additional properties such as forward- 
secrecy or an increased efficiency when preprocessing is allowed. An intriguing, 
still open, research problem is to establish a secure key agreement scheme that 
provides some kind of “resistance” with respect to active adversaries (i.e. for 
example a protocol that allows to the non corrupted players to eliminate the 
bad guys and to agree on a key. 

Acknowledgments. We wish to thank Jacques Stern for valuable comments 
on a early version of this paper. We thank David Pointcheval for a number of 
helpful discussions we had. 
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Abstract. In modern collaborative and distributed applications, au- 
thenticated group key agreement (GKA) is one of important issues. Re- 
cently identity (ID)-based authenticated GKA has been increasingly re- 
searched because of the simplicity of a public key management. In this 
paper, we present a formal treatment on ID-based authenticated GKA, 
which extends the standard GKA model. We present two GKA proto- 
cols which use a bilinear-based cryptography: one is a bilinear variant 
of Burmester and Desmedt protocol [13] and the other is ID-based au- 
thenticated protocol based on the former protocol. Our protocols are 
scalable and 2-round protocols with forward secrecy. In particular, the 
ID-based authenticated GKA protocol provides a batch verification tech- 
nique, which verifies the validity of transcripts from other group players 
simultaneously and improves computational efficiency. We then prove 
their securities under the decisional bilinear DH and computational DH 
assumptions. 



1 Intoduction 

Background. In many modern collaborative and distributed applications such 
as multicast communication, audio- video conference and collaborative tools, scal- 
able and reliable group communication is one of the critical problems. A group 
key agreement (GKA) protocol allows a group of users to share a key which may 
later be used to achieve some cryptographic goals. In addition to this basic tool 
an authentication mechanism provides an assurance of key-sharing with intended 
users. A protocol achieving these two goals is called an authenticated group key 
agreement (AGKA) protocol. 

Among various authentication flavors, asymmetric techniques such as certifi- 
cate based PKI (public key infrastructure) or ID-based system are commonly 
used to provide authentication. In a typical PKI deployed system, a user should 
obtain a certificate of a long-lived public key from the certifying authority and 
this certificate be given to a partner to authenticate the user. Whereas in a ID- 
based system, the partner just has to know the public identity of the user such 
as e-mail address. Thus, compared to certificate-based PKI system, ID-based 
authenticated systems simplify the key agreement (management) procedures. 



F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 130-144, 2004. 
(c) International Association for Cryptologic Research 2004 
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Several papers have attempted to establish ID-based authenticated key agree- 
ment protocol. But the results in [19,22,24] only present informal analysis for 
the security of the proposed protocols and some of these protocols subsequently 
found to be flawed [19]. Joux [15] proposed a single round tripartite key agree- 
ment using Weil and Tate pairings but unauthenticated. Authenticated versions 
of this protocol were presented in [1,24]. Unfortunately, Joux’s method does not 
seem possible to be extended to larger groups consisting of more than three 
parties since the method is based on the bilinearity itself. Recently, an ID-based 
group (n-party) key agreement protocol which uses the one-way function trees 
and a pairing is firstly proposed by Reddy, et al. [18] with informal security anal- 
ysis. Barua, et al. [2] proposed an ID-based multi party key agreement scheme 
which uses ternary trees. The two protocols above have 0{lg n) communication 
rounds. 

Contribution. In this paper we formally present efficient ID-based authen- 
ticated group key agreement, which uses a bilinear-based cryptography. The 
protocol is a contributory key agreement in which generating a group key is the 
responsibility not only of the group manager, but also of every group member. 
Hence it does not impose a heavy computational burden on a particular party, 
which may cause bottle-neck. 

To construct our ID-based AGKA protocol, we first present underlying 2- 
round GKA protocol, which is a bilinear version of the Burmester and Desmedt 
(BD) protocol [13]. We should be careful of the conversion since the trivial 
conversion of the BD protocol into a bilinear setting by simply substituting gen- 
erators does not provide security even against a passive adversary. This security 
degradation stems from the gap property of a certain group where DDH problem 
is easy but GDH problem hard. 

We then make an ID-based authentication method by combining this method 
and the former GKA protocol. In fact the presented ID-based authentication 
method can be naturally transformed into a normal ID-based signature scheme. 
Moreover the method provides a batch verification technique, which verifies 
the validity of transcripts simultaneously, to greatly improve computational ef- 
ficiency. Like the underlying GKA protocol, our ID-based AGKA protocol is 
2-round. Our ID-based AGKA protocol is most efficient in computational and 
communicational costs as compared to other previous known ID-based AGKA 
protocols. 

We prove the security of both protocols under the intractability of GDH 
and DBDH (Decisional Bilinear DH) problems in the random oracle model. The 
protocols achieve forward secrecy in the sense that exposure of user’s long-lived 
secret keys does not compromise the security of previous session keys. 

Related Work. Since the original two party Diffie-Hellman key agreement 
protocol has been presented in [14] , authenticated key agreement problems have 
been extensively researched. In particular, Bellare and Rogaway adapted so- 
called provable security to a key exchange and firstly provided formal framework 
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in two and three party setting [5,6]. Based on that model, many subsequent 
works have identified concrete cryptographic problems. 

Only recently, provably secure solutions for the authenticated group key 
agreement problem was presented in works of Bresson, et al. [12,10,11], which 
extended the results in [5,6,4]. Despite of the initial formal step, these proto- 
cols, based on the protocols of Steiner, et al. [23], require (relatively) expensive 
computational cost and the number of round is linear in the number of users 
participating in a session. Boyd, et al. [8] presented very efficient GKA protocol 
with a security proof in the random oracle model but did not provide forward 
secrecy. Katz, et al. [16] presented the constant-round and scalable AGKA pro- 
tocol with forward secrecy, which is proven secure in the standard model. They 
took a modular approach and used a signature-based compiler that transforms 
any GKA protocol secure against a passive adversary to one secure against a 
stronger active adversary. 

Organization. Our paper is organized as follows. We define our security model 
in Section 2. We review cryptographic assumptions needed in Section 3. We 
present our GKA and ID-based AGKA protocols and prove the security in Sec- 
tion 4. We finally compare our protocol with other ID-based AGKA protocols 
and conclude in Section 5. 



2 The Model 

The model described in this section extends one of Bresson, et al. [10] which 
follows the approach of Bellare and Rogaway [5,6]. 

In our protocol, we assume broadcast network in which the users can broacast 
messages to others. Our broadcast network will neither provide authenticity nor 
guarantee that all user receive identical messages. I.e. we allow the possibility 
that a malicious adversary may read the broadcast messages and substitute some 
of them. 



2.1 Security Model 

Participants. We assume that each user Ui has a unique identity IDi from 
{0,1}^ and all identities are distinct. We also assume for simplicity a fixed set 
of protocol users hi = {[/i, . . . , [/„} where the number of users is polynomial in 
the security parameter k. 

In the model we allow each user Ui G hi to execute the protocol many times 
with different users. Instances of a user Ui model distinct, but possibly concur- 
rent executions of the protocol. We denote instance s of a user Ui, called an 
oracle, by 7T| for an integer s G N. 

Initialization. During this phase, each user U GU gets public and private keys. 
ID-based GKA protocol requires the following initialization phase. 
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- The master secret key msk and global parameters params are generated by 
algorithm Setup : params <— Setup(l^,£) where (. is the identity length. 

- Each user Ui gains the long term secret key Si from algorithm Ext : Si ^ 
Extmsk(-^A)- 

The public parameters params and identities I'D = {IDi^. . . ,/D„} are known 
by all users (and also by adversary). 

Adversarial model. Normally, the security of a protocol is related to the adver- 
sary’s ability. The abilities are formally modeled by queries issued by adversaries. 
We assume that a probabilistic polynomial time (PPT) adversary A controls the 
communications completely and can make queries to any instance. The list of 
queries that A can make is summarized below: 

- Extract(/Z?£/): This query allows the adversary to get the long-term private 
key corresponding to I Du where I Du 4- 

- Execute(XI?): This query models passive attacks, where the adversary eaves- 
drops an executions of the protocol. A gets back the complete transcripts of 
an honest execution between the users in ID . The number of group members 
are chosen by the adversary. 

- Send(7T|, M): This query allows the adversary to make the user IDi run the 
protocol normally. This sends message M to instance 7T| which returns the 
reply generated by this instance. 

- Reveal(iT®): This query models the adversary’s ability to find session group 
keys. If an oracle 77® has accepted, holding a session group key K, then K 
is returned to the adversary. 

- Corrupt(777i): This query models the attacks revealing the long-term secret 
key Si- This does not outputs any internal data oi IDi. 

- Test(7T®): This query models the semantic security of a session key. This 
query is allowed only once by the adversary A. A random bit b is chosen; if 
b = 1 then the session key is returned, otherwise a random value is returned. 

In the model we consider two types of adversaries according to their attack types. 
The attack types are simulated by the queries issued by adversaries. A passive 
adversary is allowed to issue Execute, Reveal, Corrupt, and Test queries, while an 
active adversary is additionally allowed to issue Send and Extract queries. Even 
though Execute query can be simulated using Send queries repeatedly, we use 
the Execute query for more exact analysis. 

2.2 Security Notions 

Session IDS and Partnering. Following [16], we defines session IDS and part- 
nering. The session IDS (SIDS) for an oracle 77® is defined as SIDS(77f)=(S'777y ), 
where SIDij is the concatenation of all messages sent and received by an oracle 
77® during the execution. The partner ID for an oracle 77®, denoted by PIDS(77®), 
is a set of the identities of the users with whom 77® intends to establish a session 
key. Instances 77® and 77j are partnered if and only if PIDS(77®)=PIDS(77j) 
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and SIDS(iTf)=SIDS(7Tj). The presented notion of parting is simple since all 
messages are sent to all other users taking part in the protocol. We say that an 
oracle 7T| accepts when it has enough information to compute a session key. 

Freshness. An oracle Ilf is said fresh (or hold a fresh key K) if: 

- Ilf has accepted a session key K yf NULL and neither Ilf nor one of its part- 
ners has been asked for a Reveal query, 

- No Corrupt query has been asked before a query of the form Send(iTf,*) or 
Send(77j,*), where TTj is one of Ilf’s partners. 

Definitions of Security. We define the security of the protocol by following 
game between the adversary A and an infinite set of oracles Ilf for IDi G TV 
and s G N. 

1. The long-term keys are assigned to each user through the initialization phase 
related to the security parameter. 

2. Run adversary A who may issue some queries and get back the answers by 
the corresponding oracles. 

3. At some stage during the execution a Test query is issued by the adversary to 
a fresh oracle. The adversary may continue to make other queries, eventually 
outputs its guess b' for the bit b involved in the Test query and terminates. 

In this game, the advantage of the adversary A is measured by the ability dis- 
tinguishing the session group key from a random value, i.e. its ability guessing 
b. We define Succ to be the event that A correctly guesses the bit b used by 
the Test oracle in the answering this query. The advantage of an adversary A in 
attacking protocol P is defined as Adv^_p(fc) = |2 • Pr[Succ] — l|. 

We say that a protocol P is a secure (ID-based authenticated) group key 
agreement scheme if the following two properties are satisfied: 

— Correctness: in the presence of a (active) passive adversary partner oracles 
accept the same key. 

“ Indistinguishability: for every PPT (active) passive adversary A, Adv_ 4 .p(fc) 
is negligible. 

Forward Secrecy. In this paper, we are concerned with protocols providing 
forward secrecy meaning that an adversary gets negligible knowledge informa- 
tion about previously established session keys when making a Corrupt query. We 
define AdVp^^"'^'’(f, q^x) to be the maximal advantage of any passive adversary 
attacking P, running in time t and making q^x Execute queries. Similarly, we 
define Advp*^^^'-^®(t, gea;, <Zs) to be the maximal advantage of any active adver- 
sary attacking P, running in time t and making qf>x Execute queries and qs Send 
queries. 

Authentication. In this paper, we focus on AGKA with implicit authentication; 
a key agreement protocol is said to provide implicit key authentication if users 
are assured that no other users except partners can possibly learn the value of a 
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particular secret key. Note that the property of implicit key authentication does 
not necessarily mean that partners have actually obtained the key. 

3 The Bilinear Maps and Assnmptions 

In this section, we review some assumptions related to our protocols. Through 
the paper, we assume that Gi is a cyclic additive group of prime order q and 
G 2 is a cyclic multiplicative group of same order q, and the discrete logarithm 
problem (DLP) in both Gi and G 2 are intractable. 

CDH Parameter Generator: A CDH parameter generator IQcdh is a PPT 
algorithm that takes a security parameter 1^, runs in polynomial time, and out- 
puts an additive group G of prime order q. 

Computational DifRe-Hellman (CDH) problem in G: Informally speak- 
ing, the computational DH problem is to compute abP when given a generator 
P of G and aP, bP for some a,b G Z*. More formally, the advantage of A with 
respect to IQbdh is defined to be 

Pv\A{<G,P,aP,bP) = abP G ^ P ^ G; a, 6 ^ Z* . 

IQcdh is said to satisfy the CDH assumption if any PPT A has negligible ad- 
vantage in solving CDH problem. 

Admissible Bilinear Map. We call e : Gi x Gi — > G 2 an admissible bilinear 
map if it saifsfies the following properties: 

1. Bilinear : e{aP, bQ) = e{P, for all P,Q G Gi and a,b &^q- 

2. Non-degenerate : There exist a P € Gi such that e(P, P) yf 1. 

3. Computable : There exists an efficient algorithm to compute e(P, Q) for all 
PjQ G Gi . 

BDH Parameter Generator: A BDH parameter generator IQbdh is a prob- 
abilistic polynomial time (PPT) algorithm that takes a security parameter 1^, 
runs in polynomial time, and outputs the description of two groups Gi and G 2 
of the same order q and an admissible bilinear map e : Gi x Gi — > G 2 . 

Decisional Bilinear DifRe-Hellman (DBDH) problem in [Gi,G 2 ,e]: In- 
formally speaking, the decisional BDH problem is to distinguish between tu- 
ples of the form (P,aP,6P,cP,e(P, P)“^°) and (P,aP,6P,cP,e(P, P)“^) for ran- 
dom P e Gi, and a, 6, c, d G Z*. More formally, the advantage of A with respect 
to IQbdh is defined to be 

Pr A (Gi, G 2 , e, P, aP, 6P, cP, e(P, P)“^°) = 

-Pr A (Gi, G 2 , e, P, aP, bP, cP, e(P, P)^) = 1 



(Gi,G2,e) ^ IQbdh{^'^)', 
P ^ Gi; a, 6, c ^ Z* 

(Gi, G2, e) <— IQ bdh{^'^)', 
P ^ Gi; a, 6, c, d ^ Z* 
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IGbdh is said to satisfy the DBDH assumption if any PPT A has negligible 
advantage in solving DBDH problem. 

As noted in [7], BDH parameter generators satisfying the DBDH assumption 
is believed to be constructed from Weil and Tate pairings associated with super- 
singular eliptic curves or Abelian varieties. 



4 Our GKA and ID-based AGKA Protocol 

4.1 GKA Protocol Using a Bilinear Map 

We now describe a 2-round GKA protocol using bilinear maps. We denote this 
protocol by B-GKA. In fact, this protocol is a bilinear variant of the protocol by 
Burmester and Desmedt. In this protocol, no long-term public/private keys are 
required. In the following description groups Gi, G 2 and a bilinear map e are 
generated by a BDH generator in Section 3 and P is a random generator of Gi. 
When n users U\,..,Un want to establish a session key, they proceed as follows : 

[Round 1 ] Each user Ui picks a random integer at G Z* and computes Pi = 
aiP. Then each Ui broadcasts Pi to all others and keeps Qi secret. 

[Round 2 ] Upon receipt of Pi_i,Pi+i and Pi-1-2, each users Ui computes 

e^G.j(Pi-|_2 Pj_i), Pj-|-i^ 

and broadcasts Di to all others. 

Key Computation. Each Ui computes the session key as follows : 

K, = e(a,P,_i, P,+i)"Ur'^IVi' • • • A- 2 . 

It is obvious that all honest users compute the same key as follows: 

^ p'j0‘i0-20,3~\ —\a ai~\-a a\a 2 

We note that the trivial conversion of the BD protocol to a bilinear setting by 
simply substituting generators does not provide security even against a passive 
adversary. This is possible because of the gap property of Gi where DDH problem 
is easy but CDH problem hard. 

Theorem 1. The protocol B-GKA is a secure GKA protocol providing forward 
secrecy under the DBDH assumption. Concretely, 

Adv^^A ge.) < 4 • Adv^fZeit)- 

We can prove Theorem 1 in two steps by using standard hybrid argument 
and showing information theoretical independence of a secret key. The secu- 
rity analysis is similar to that of Katz, et al.[17[. For space limitation we omit 
the proof. However a tighter security reduction can be obtained using random 
self-reducihility properties of the DBDH problem. The method of the reduction 
in [17,21] is similarly applied to our reduction. 
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4.2 ID-based Authenticated Group Key Agreement Protocol 

In this section we present an ID-based AGKA protocol based on the previous 
protocol B-GKA. We denote this protocol by ID-GKA. The protocol involves the 
trusted key generation center (KGC). In the following description H : {0, 1}* — > 
Zg and Hi : {0, 1}* — > Gi are cryptographic hash functions. H and Hi are 
considered as random oracles in the security proof. 

Setup. KGG runs BDH parameter generator, and chooses a random s G Z* 
and a generator P of Gi and computes Ppub = sP. Then KGG keeps s 
secret as the master secret key and publishes system parameters params 
= {e, Gi, G 2 , (?, P, i?, i?i}. 

Extract. When a user with identity ID wishes to obtain a key pair, KGG 
computes Qid = Hi{ID) and the private key Sid = sQm, and returns 
Sid to the user. 

Let {C/i, ...,[/„} be a set of users who want to establish a session key and IDi 
be the identity of each [7j. The indices are subject to modulo n. C/i’s long-term 
public and private key pair is {IDi, Si = sQi). 

[Round 1 ] Each user Ui picks a random integer ai G Z* and computes Pi = 
GiP, hi = H{Pi) and Ti = UiPpub + hiSi. Each Ui broadcasts (Pi,Ti) to all 
others and keeps ai secret. 

[Round 2 ] Upon the receipt of (P*_i, Ti_i), (P*+i, T^+i) and (P*+ 2 , Ti+ 2 ), each 
user Ui checks if the following equation holds: 

X/fe 6 {-l,l, 2 } ^ ^ X/fce{ - 1 , 1 , 2 } i^i+k + hi-^kQi+k), Pp«&^ 

If the above equation is satisfied, then Ui computes 

Di — e{ai{Pi-i2 Pz— 1)5 Pz-t-l) 

and broadcasts Di to all others. Otherwise Ui stops. 

Key Computation. Each Ui computes the session key, 

K, = e(a,P,_i, P,+i)"Pr'ATi" • • • ^*- 2 - 

The correctness of key computation is same to that of the protocol B-GKA. 

In the above protocol, we used an authentication scheme P defined as follows; 

Generation. Given a secret key Sid=sHi{ID), compute T = aPpub +hSiD 
where a G_r Z* and h = H{aP); {aP,T) ^ Pgen{SiD)- 
Verification. Given a public Qid and (aP,T), verify that e{T,P) = e(aP + 
hQiDjPpub), where h = H{aP); True or False ^ Pver{QiD, {aP,T)). 

The correctness of P is easily proved as follows; for given public Qid and (aP, T), 
e(T, P) = e{asP + hsQiD, P) = e{aP + HQid, Ppub) where h = H{aP). 

In fact, in Round 2, each user uses a screening test [3] to verify the valid- 
ity of authentication for computational efficiency. This test provides a weaker 
notion determining if each user has at some point generated the transcript for 
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authentication rather than checking the given data is a valid transcript for au- 
thentication. This validation notion is adequate for our goal since each user wants 
to do implicit authentication for a session rather than to have an authentication 
data. However we can directly adapt a batch technique providing a strong no- 
tion, such like random subset test and small exponent test, etc., as in [3,9]. 

We note that the authentication scheme F can be easily transformed into an 
ID-based signature scheme. 

For the following security analysis we define Forgerp as a PPT forger of the 
authentication scheme F under the adaptively chosen ID attack and Forgerp^ 
a PPT forger of F under given ID attack. 



Theorem 2. Suppose the hash functions H , Hi are random oracles. Then the 
protocol ID-GKA is a secure AGFA protocol providing forward secrecy under the 
DBDH assumption and the CDH assumption. Concretely, 

(is) < ■ AdvgBDH^(t) + Advp”s®(t). 

where Advp°“^®®(t) is the maximum advantage of any Forgerp running in time t. 

Proof. Let A be an active adversary that gets advantage in attacking ID-GKA. 
The adversary A can get an advantage by forging authentication transcripts, 
namely impersonating a user or ‘breaking’ the protocol without altering tran- 
scripts. 

First we assume that A breaks ID-GKA by using adaptive impersonation abil- 
ity. Using A, we can construct a Forgerp C that generates a valid message pair 
{ID,aP,T) with respect to F as follows: a Forgerp C honestly generates all 
other public and private keys for the system. C simulates the oracle queries of 
A in the natural way; this results in a perfect simulation unless A queries Gor- 
rupt(/ZJ). If this occurs, C simply aborts. Otherwise, if A generates a new and 
valid message pair {ID,aP,T), this event is denoted by Forge, then C generates 
the message pair {ID,aP,T). The success probability of C satisfies Pr^ [Forge] 
< Adv^”s®(t) < Adv^°‘'s«(t). 

Next we assume that A breaks ID-GKA without altering transcripts. Before 
describing the details we define the Modified DBDH(MDBDH) problem related 
to our security reduction. The MDBDH problem in [Gi,G 2 ,e] is to distinguish 
between tuples of the form (P, aP, bP, cP,sP,saP,sbP,scP,e{P, and (P, 

aP,bP,cP,sP,saP,sbP,scP,e{P, P)“*) for random P e Gi, and a, 6, c,d,s € Z*. It 
is easily showed that the DBDH problem and the MDBDH problem in [Gi , G 2 , e] 
are computationally equivalent. Namely, Advg®Q^g(t) = Advg^^j? 

We first consider the case that an adversary A makes only a single Execute 
query Execute(/Pi, ..., /P„) and then extend this to the case that A makes mul- 
tiple Execute queries. Let n be the number of users chosen by the adversary A. 
The distribution of the transcript T and the resulting group key K is given by: 



params ^ 



Real = 



{Gi,G 2, e) ^ IQ bdhA )> P^Gi; s^Z*; Ppub ~ sP 
Qi , ..., Qn ^ Gi; Si = sQi , ..., S„ = sQ„ : (Gi, G2, e, P, Ppub) 
Cl, ..., Uri, hi , ..., hn ^ 1 q, Pi — a\P, .., Pn — auP , 

Tl — aiPpub J- hlSl, ..., Tn — OuPpub -f huSn, 

n, — e(ain2,f3) 7") _ e(a2P3,Pi) p) _ e(g Pi,P 2 ) 

-^1 — ^ . ID ID- \ t 1-^2 — ^ - D. D-\i***i 



e(aiP ,P2)’ ^ e(a2Pi,P3)’-'-’-^’^ e(a P _i,Pi)’ 

7 ~ = {-Pi, •••5 -Pn, Tl, Tn , Dl , Dn )', 

K - e(aiP., P2)"P>r' • • ■ : (T, K) 
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Consider the distributions Faka defined as follows: 



Fakei = 



^71,1,2; Ul, dn , hi , . . . , hn ^ , -Pi — -UlP,..,P7T,“ (XnP 5 

T\ = 0-1 Ppub H” hi 5*1 , Pn — f^nPpub H” hnSn ] 

f) e(aiP2,P3) p, e(a2P3,P4) j~x e(r ,i,2-P;-P) . 

^ ~ e(r ,i,2P,-P)’ 2 ~ e(a2Pi,P3)’-'-’-^^ ~ e(a P _i,Pi)’ 

F = (Pi 5 Pn, Pi, Tn^ Pi, Pn); 
if = e(r„,i, 2 P, ■ ■ ■ L»„_i : (T, K) 



Continuing in this way, we obtain the distribution: 



Fakcn 



rn,l ,2 , • • 



., Pn— l,n,l, Ul, ..., dn , hi , . . . , hn ^ , Pi - — U 1 P, . . , Pn ~~ 

Pi — Ul Ppub H” hi 5l , . . . , Pn — CLnPpub H” hnSn , 

_ e(^l,2,3-P>-P) 7-) _ e(^2,3,4P-P) 7-) _ ,1,2-^.-^) 

e(r e(ri,2,3e.e) ’ e(r -1, ,1-P,-P) 



P — (Pi 5 - Pn, Pi, Pn-, Pi, Pn); 

K = e(r„,i,2P, • ' ' -Dn-i : (T, if) 



a„P;-| 



^ can compute all aiPpub = Ti — hSi from the transcripts since A can obtain 
all secret keys Si and hash values hi (i = by using multiple Corrupt 

and H queries, respectively. Therefore the distribution of previous transcripts is 
changed by the distribution related to the modified DBDH problem. Let e{t) = 
(t) . A standard argument shows that for any algorithm A running in 
time t we have: 

\Pr[T^Real-, K^Reat A{T,K)=l] - Pr[T^Fakei\ K^Faker. ACI:A)=1]|< e{t) 
\Pr[T^Fakev,K^Faker- A{%K)=1] - Pr[T^Fake 2 ', K^Fake 2 : A(T;A)=1]|< e{t) 



\Pr[T^Faker^-,K^Faker^A{T,K)=l}-Pr[T^Fake„-, K^FakenA{T, K)=l]\< e{t). 

Let e{P,P)=g in G 2 . In experiment Taken, the values ri^ 2 , 3 ) are 

constrained by T according to the following n equations log^ D\ = ri^ 2,3 — 
logg £>2 = r-2,3,4 ~ ri, 2 , 3 v •• logg £*n = ^ri.1,2 ~ rn-i,n,i of which Only n - 1 
of these are linearly independent. Furthermore, K may be expressed as K = 
e(P, P)“ ha _ia ai. equivalently, we have 

logg K = rp 2.3 + h’2,3.4 H 1- rn,i,2- 

Since this final equation is linearly independent from the set of equations above, 
the value of K is independent of T. This implies that, for any adversary A: 
\Pr[T^Faken, K^FakenA{T, K)=l] = Pr[T^Fake„-,K^RandomA{%K)=l]\. 

Similarly, a standard argument shows that for any algorithm A running in 
time t we have: 

I Pr[T^F akcn'jK^F akenA(T, if )=1] — Pr[T 4 — P akcni -,K^ Random A{T, if )=1] | < e{t) 



\Pr[F^Fakei \ K^Random:A(T, K)—l] — Pr[T^Reak, K<— Random: A{T, K)=l]\< e{t) 
Eventually, we obtain the equation as follow: 

\Pr[T^Real\ K^Real: A{T,K)=1\ — P r\T^ Real, Random: A(7)if)=l]|< 2ne{t) 

Since e(i) = Advg^^Q (t) = Advg®Q^g(i), we have the result that the 
advantage of A conditioned on the event ~ Forge is bounded by 2n- Advg®Q^g(f). 
Hence we have 
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1> ^s) < 2n ■ AdvgBDHj^) AdVp”S®(t). 

Finally we have the desired result by adapting a standard hybrid argument that 

qex, Qs) < 2nqex • Adyg^gHj^) Advp°"'®®(t). 

We next show that the authentication scheme F is secure against existential 
forgery on adaptively chosen ID attack. 

Lemma 1. Let the hash function Hi be random oracle. Suppose there exists a 
Forgerp A for an adaptively chosen ID with running time to and advantage Sq. 
Suppose A makes at most qHi queries to the hash function Hi . Then a Forger^P 
B for a given ID with running time ti < to has advantage ei < £o(l — ^)/qHi- 



Lemma 2. Let the hash function H, Hi be random oracles. Suppose there ex- 
ists a ForgeAjP A for a given ID with running time ti and advantage ei > 
10((7s + l)(( 7 s + qH)/q. Suppose A makes at most qH,qHi,qs and qex queries to 
the H, Hi, Send and Extract respectively. Then there exists an attacker B that 
can solve the CDH problem within expected time t 2 < 120686<7//ti/ei. 

The proofs of the above two lemmas are given in Appendix. Combining the 
Lemma 1 and 2, we obtain that Advp°“^®®(t) is negligible in the following theorem. 
Therefore we can show that our ID-GKA is a secure AGKA providing forward 
secrecy. 

Theorem 3. Let the hash functions H , Hi be random oracles. Suppose there 
exists a Forgerp A for an adaptively chosen ID with running time to and 
advantage £o > lOqHiiqs + l)(<?s + qH)/{q — !)• Suppose A makes at most 
qHiqHi,qs and qex queries to the H, Hi, Send and Extract respectively. Then 
there exists an attacker B that can solve the CDH problem within expected time 
t2 < 120686g//to/£o- 



5 Comparison and Conclusion 

We now compare our protocol ID-GKA with other previously known ID-based 
GKA protocols, the binary tree based 2T-IDAGKA [18] and the ternary tree 
based 3T-IDAGKA [2] in Table 1. We use notations as follows: 

- Round: The total number of rounds. 

- Message: The total number of messages sent by users. 

- Computation: The total number of scalar multiplications. 

- Pairing: The total number of pairing-computations. 

Because the number of users is relatively small in practice, we can assume that, 
in our ID-GKA, the key computation step requires just one scalar multiplication. 
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Protocol 


Round 


Message 


Computation 


Pairing 


2T-IDAGKA [18] 


0{\gn) 


0{nlgn) 


0(nlg n) 


0{nlgn) 


3T-IDAGKA [2] 


0{\gn) 


0(n) 


0(n) 


0{nlgn) 


Our ID-GKA protocol 


0{l) 


0(n) 


0(n) 


0{n) 



Table 1. Comparison of ID-based AGKA protocols 



As we shown in Table 1, our protocol is the most efficient one as compared 
to other protocols. In particular, our protocol require 0(1) round and only 0{n) 
pairing-computations . 

In this paper, we have presented a 2-round and scalable ID-based AGKA 
protocol based on a bilinear variant of the BD protocol [13]. Moreover, we have 
adapted batch verification technique verifying the validity of transcripts simul- 
taneously, which greatly improves the computational efficiency. We have proved 
the security of both protocols under the intractability of CDH and DBDH. 
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A Proof of Lemma 1 

B is given ID*. Without any loss of generality, we assume that for any ID, A 
makes Hi, Send and Extract queries at most once, and Send and Extract queries 
for public key are preceded by i?i hash query. 

To respond to these queries B maintains a list Lh^ of {IDi,Qi). The list is 
initially empty. First, B chooses a G {1, ...,qni} randomly. B interacts with A 
as follows: 

- When A makes the a-th Hi query on ID, B issues a Hi query for ID* 
and returns the result Q* to A. Then B adds {ID, Q*) to Lh^. Otherwise, B 
issues a Hi query for ID and returns the result to A. Then B inserts {ID, Q) 
into 

- When A issues an Extract query on Qi, if Qi = Q* , then B outputs FAIL and 
aborts. Otherwise, B issues an Extract query for Qi and returns the result 
Si to A. 

- When A issues a H query on a^P, B issues a H query for aP and returns 
the result H{aiP) to A. 
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- When A issues a Send query on IDi, B issues a Send query for IDi and 
returns the result {IDi, a,iP, Ti) to A. 

Eventually, A outputs {ID' ,a'P,T'). Then B finds the tuple of the form 
{ID', Q') in Lh^- If Q' = Q* then B outputs {ID* , a' P, T'). Otherwise, B outputs 
FAIL and aborts. 

To complete the proof of Lemma 1 it remains to calculate the probability 
that algorithm B aborts during the simulation. Notice that, if Q' yf Q* and a 
pair {ID' , Q') is not found in Lhi , then the output {ID' , a' P, T') is independent 
of the knowledge A accumulated from its various queries. This means that A 
succeeds in this case with probability 1/q. Therefore, the probability that B does 
not abort during the simulation is ^^(1 — -). 

B Proof of Lemma 2 

First, a BDH parameter generator is run and (e, 61,62) is outputted. Then B 
receives a CDH instance (P, xP, yP) for randomly chosen x,y G Z* and P G 61. 
Its goal is to compute xyP. 

B runs a Forger\P ^ as a subroutine and simulates its attack environment. 
B sets the public system parameters params=(e, 61, 62, P, Ppub, ID* ,H, Hi) by 
letting Ppub = xP where x is the master secret key, which is unknown to B 
and selecting an identity ID* for given ID attack of A. B gives params to A. 
Note that, for given ID, the corresponding private key associated to params is 
Sid = xQid = xHi{ID). 

Without loss of generality, we assume that for any ID, A queries Hi , Send and 
Extract at most once, and Send and Extract queries for public keys are preceded 
by an Pi hash query. To avoid collision and consistently respond to these queries 
B maintains two lists Lh^ and Lt of {IDi,ri,Qi) and {IDj,ajP), respectively. 
The lists are initially empty. Algorithm B interacts with A as follows: 

- When A issues Hi{ID*) query, B returns Q* = yP. For all other Hi queries, 
B picks a random G Z* and adds {IDi, G, Qi) to Lh^ , and returns Qi = XiP 
to A. 

- When A issues Extract query on Qi, if Qi = Q*, then B outputs FAIL and 
aborts. Otherwise, B finds the tuple of the form {IDi,ri,Qi) in Lhi, and 
returns private keys XiPpuh = XixP = xXiP = xQi to A. 

- When A issues an H query for a^P, then B picks a random hi G Z* and 
returns hi to A. 

- When A issues a Send query on IDi, B picks a random Ui G Z* and computes 
ttiP, and adds the tuple {IDi,aiP) to Lt- B finds the tuple of the form 
{IDi,ri,Qi) in Lh^ - Then B computes Ti = aixP + hirixP=aiPpub + hiSi 
and returns {IDi,aiP,Ti) to A. 

Eventually, A outputs a valid tuple(/P*, aP, /i, P) such that {ID*,aP) ^ Lt, 
which is expected to be valid for the fixed ID* , without accessing any oracles 
expect H. By replays of B with the same random tape but different choices of 
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H, as done in the forking femmo (theorem 3) [20], A outputs two valid tuples 
(ID*,aP,h,T) and {ID*,aP,h',T') such that h ^ h' . If both outputs are ex- 
pected ones, then B computes {T—T')/{h—h') = xyP and outputs it. Otherwise, 
B outputs FAIL and aborts. 

The total running time of B is equal to the running time of the forking 
Zemmo(theorem 3) [20] which is bounded by 120686g//ti/£i, as desired. 
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Abstract. Schemes for encrypted key exchange are designed to provide 
two entities communicating over a public network, and sharing a (short) 
password only, with a session key to be used to achieve data integrity 
and/or message confidentiality. An example of a very efficient and “ele- 
gant” scheme for encrypted key exchange considered for standardization 
by the IEEE P1363 Standard working group is AuthA. This scheme was 
conjectured secure when the symmetric-encryption primitive is instanti- 
ated via either a cipher that closely behaves like an “ideal cipher” , or a 
mask generation function that is the product of the message with a hash 
of the password. While the security of this scheme in the former case has 
been recently proven, the latter case was still an open problem. For the 
first time we prove in this paper that this scheme is secure under the 
assumptions that the hash function closely behaves like a random ora- 
cle and that the computational DifHe-Hellman problem is difficult. Fur- 
thermore, since Denial-of-Service (DoS) attacks have become a common 
threat we enhance AuthA with a mechanism to protect against them. 



1 Introduction 

The need for authentication is obvious when two entities communicate on the 
Internet. However, proving knowledge of a secret over a public link without 
leaking any information about this secret is a complex process. One extreme 
example is when a short string is used by a human as a means to get access to 
a remote service. This password is used by the human to authenticate itself to 
the remote service in order to establish a session key to be used to implement an 
authenticated communication channel within which messages set over the wire 
are cryptographically protected. Humans directly benefit from this approach 
since they only need to remember a low-quality string chosen from a relatively 
small dictionary (i.e. 4 decimal digits). 

The seminal work in this area is the Encrypted Key Exchange (EKE) proto- 
col proposed by Bellovin and Merritt in [5,6]. EKE is a classical Diffie-Hellman 
key exchange wherein the two flows are encrypted using the password as a com- 
mon symmetric key. This encryption primitive can be instantiated via either a 
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password-keyed symmetric cipher or a mask generation function computed as 
the product of the message with a hash of the password. This efficient structure 
later evolved into a protocol named AuthA considered for standardization by 
the IEEE P1363 Standard working group on public-key cryptography [3]. AuthA 
was conjectured secure against dictionary attacks by its designers, but actually 
proving it was left as an open problem. 

Cryptographers have began to analyze the AuthA protocol in an ideal model 
of computation wherein a hash function is modeled via a random function and a 
block cipher is modeled via random permutations [2,5,8]. These analyses have 
provided useful arguments in favor of AuthA, but do not guarantee that Au- 
thA is secure in the real world. These analyses only show that AuthA is secure 
against generic attacks that do not exploit a particular implementation of the 
block cipher, but in practice current block ciphers are far from being random 
permutations. A security proof in the random-oracle model only, while still using 
ideal objects, would provide a stronger and more convincing argument in favor 
of AuthA. 

One should indeed note that the ideal-cipher model seems to be a stronger 
model than the random-oracle one. Even if one knows constructions to build 
random permutations from random functions [13], they cannot be used to build 
ideal ciphers from random oracles. The difference here comes from the fact that 
the inner functions (random oracles) are available to the adversary. It could 
compute plaintext-ciphertext relations starting from the middle of the Feistel 
network, while in the programmable ideal-cipher model, one needs to control all 
these relations. 

Moreover, a AuthA scheme resistant to Denial-of-Service (DoS) attacks would 
be more suited to the computing environment we face every day since nowadays 
through the Internet hackers make servers incapable of accepting new connec- 
tions. These so-called Distributed DoS attacks exhaust the memory and compu- 
tational power of the servers. 



Contributions. This paper examines the security of the AuthA password- 
authenticated key exchange protocol in the random-oracle model under the com- 
putational Diffie-Hellman assumption; no ideal-cipher assumption is needed. We 
work out our proofs by first defining the execution of AuthA in the communica- 
tion model of Bellare et al. [2] and then adapting the proof techniques recently 
published by Bresson et al. [8] . We exhibit very compact and “elegant” proofs to 
show that the One-Mask (OMDHKE- one flow is encrypted only) and the Two- 
Mask (MDHKE- both flows are encrypted) formal variants of AuthA and EKE 
are secure in the random-oracle model when the encryption primitive is a mask 
generation function. Because of lack of space, the latter variant is postponed to 
the full version of this paper [9]. 

We define the execution of AuthA in the Bellare et al.’s model wherein the 
protocol entities are modeled through oracles, and the various types of attacks 
are modeled by queries to these oracles. This model enables a treatment of 
dictionary attacks by allowing the adversary to obtain honest executions of the 
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AuthA protocol. The security of AuthA against dictionary attacks depends on 
how many interactions the adversary carries out against the protocol entities 
rather than on the adversary’s computational power. 

We furthermore enhance the schemes with a mechanism that offers protection 
against Denial-of-Service (DoS) attacks. This mechanism postpones the compu- 
tation of any exponentiations on the server side, as well as the storage of any 
states, after that the initiator of the connection has been identified as being a le- 
gitimate client. Roughly speaking, the server sends to the client a “puzzle” [12] 
to solve which will require from the client to perform multiple cryptographic 
computations while the server can easily and efficiently check that the solution 
is correct. 

Related Work. The IEEE P1363.2 Standard working group on password-based 
authenticated key-exchange methods [11] has been focusing on key exchange 
protocols wherein clients use short passwords in place of certificates to identify 
themselves to servers. This standardization effort has its roots in the works 
of Bellare et al. [2] and Boyko et al. [7], wherein formal models and security 
goals for password-based key agreement were first formulated. Bellare et al. 
analyzed the EKE (where EKE stands for Encrypted Key Exchange) protocol [5], 
a classical Diffie-Hellman key exchange wherein the two flows are encrypted using 
the password as a common symmetric key. Several proofs have already been 
proposed, in various models, but all very intricate. The present paper provides 
a very short and “elegant” proof of AuthA or OMDHKE (but also of EKE or 
MDHKE in the full version), that is less prone to errors. 

Several works have already focused on designing mechanisms to protect 
against DoS attacks. Aiello et al. [1] treat the amount of Perfect Forward-Secrecy 
(PFS) as an engineering parameter that can be traded off against resistance to 
DoS attacks. DoS-resistance is achieved by saving the “state” of the current ses- 
sion in the protocol itself (i.e., in the flows) rather than on the server side. More 
precisely, the “state” of the protocol is hashed and put into a cookie, while the 
server needs only to memorize the hash value. Only once this is done, the server 
saves the full state and the connection is established. This technique prevents 
the attacker from exhausting the server’s memory but do not prevent it from 
exhausting the server’s computational power. One approach to counter the latter 
threat is to make the client compute some form of proof of computational effort, 
using a “puzzle” [12], also more recently used by Dwork et al. [10] to discourage 
spam. The present paper builds on that latter concept. 

2 The OMDHKE Protocol: One-Mask DifRe-Hellman Key 
Exchange 

The arithmetic is in a finite cyclic group G = {g) of order a f-bit prime number q, 
where the operation is denoted multiplicatively. We also denote by G* the subset 
G\{1} of the generators of G. Hash functions from {0, 1}* to {0, 1}^ are denoted 
Hi, for z = 0, 1. While Q denotes a full-domain hash function from {0, 1}* into G. 
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pw € Password , PW = Q (p^ 
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accept < — terminate < — false 


accept terminate false 




Z , 

^ X PW 
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Auth II II II ||PW|| ) 

if true, accept < — true 


^ ^ /PW 
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— Auth ^«i( II II II 
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||PW|| ) 


^ «o( II II II l|PW|l ) 


^ Ho( II II II 


||PW|| ) 


terminate < — true 


terminate — true 





Fig. 1. An execution of the protocol OMDHKE, run between a client and a server. 



As illustrated on Figure 1 (with an honest execution of the OMDHKE protocol), 
the protocol runs between two parties A and S, and the session-key space SK 
associated to this protocol is {0, 1}^° equipped with a uniform distribution. 

The parties initially share a low-quality string pw, the password, drawn from 
the dictionary Password according to the distribution Ppm. In the following, we 
use the notation T>p^{q) for the probability to be in the most probable set of q 
passwords: 



'Dpw (q) = max j Pr [pw eP\ #P < g] 1 . 

PCPassword [pw^Dp^u J 

Note that if we denote by the uniform distribution among JV passwords, 
^Af(g) = g/^- 

The protocol then runs as follows. The client chooses at random a private 
random exponent x and computes the corresponding Diffie-Hellman public value 
g^, but does not send this last value in the clear. The client encrypts the Diffie- 
Hellman public value using a mask generation function as the product of a 
Diffie-Hellman value with a full-domain hash of the password. Upon receiving 
this encrypted value, the server unmasks it and computes the Diffie-Hellman 
secret value g^^ which is used by the server to compute its authenticator Authg 
and the session key. The server sends its Diffie-Hellman public value g^ in the 
clear, Authg, and terminates the execution of the protocol. Upon receiving these 
values, the client computes the secret Diffie-Hellman value and checks that the 
authenticator Auths is a valid one. If the authenticator is valid, the client com- 
putes the session key, and terminates the execution of the protocol. 

3 The Formal Model 

The security model is the same as the one defined by Bellare et al. [2]. We briefly 
review it. 
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The Security Model. We denote by A and S two parties that can participate 
in the key exchange protocol P. Each of them may have several instances called 
oracles involved in distinct, possibly concurrent, executions of P. We denote 
A (resp. S) instances by A^ (resp. S^), or by U when we consider any user 
instance. The two parties share a low-entropy secret pw which is drawn from a 
small dictionary Password, according to the distribution Vpw 

The key exchange algorithm P is an interactive protocol between A^ and 
that provides the instances of A and S with a session key sk. During the 
execution of this protocol, the adversary has the entire control of the network, 
and tries to break the privacy of the key, or the authentication of the players. 
To this aim, several queries are available to it. Let us briefly recall the capability 
that each query captures: 

— Execute(A*, S^): This query models passive attacks, where the adversary gets 
access to honest executions of P between the instances A* and by eaves- 
dropping. 

— Reveal([7): This query models the misuse of the session key by instance U 
{known-key attacks). The query is only available to A if the attacked instance 
actually “holds” a session key and it releases the latter to A. 

— Send([/, m): This query enables to consider active attacks by having A send- 
ing a message to instance U. The adversary A gets back the response U 
generates in processing the message m according to the protocol P. A query 
Send(A®, Start) initializes the key exchange algorithm, and thus the adver- 
sary receives the initial flow the player A should send out to the player S. 

In the active scenario, the Execute-query may at first seem useless since using 
the Send-query the adversary has the ability to carry out honest executions of 
P among parties. Yet, even in this scenario, the Execute-query is essential for 
properly dealing with dictionary attacks. The number Qs of Send-queries directly 
asked by the adversary does not take into account the number of Execute-queries. 
Therefore, Qs represents the number of flows the adversary has built by itself, 
and therefore the number of passwords it would have tried. 



Security Notions. As already noticed, the aim of the adversary is to break the 
privacy of the session key (a.k.a., semantic security) or the authentication of the 
players (having a player accepting while no instance facing him). The security 
notions take place in the context of executing P in the presence of the adversary 
A. One first draws a password pw from Password according to the distribution 
Ppw , provides coin tosses to A, all oracles, and then runs the adversary by letting 
it ask any number of queries as described above, in any order. 

AKE Security. The privacy (semantic security) of the session key is modeled by 
the game Game^'^®(A, P), in which one more query is available to the adversary: 
Test(17). The Test-query can be asked at most once by the adversary A and is 
only available to A if the attacked instance U is Fresh (which roughly means 
that the session key is not “obviously” known to the adversary.) This query 
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is answered as follows: one flips a (private) coin b and forwards sk (the value 
Reveal([7) would output) if 6 = 1, or a random value if 6 = 0. When playing 
this game, the goal of the adversary is to guess the bit b involved in the Test- 
query, by outputting this guess b' . We denote the AKE advantage as the 
probability that A correctly guesses the value of b. More precisely we define 
Advp^(A) = 2Pr[6 = b'] — 1. The protocol P is said to be (t, £)-AKE-secure if 
A’s advantage is smaller than £ for any adversary A running with time t. 

Authentication. Another goal is to consider unilateral authentication of either A 
(A-Auth) or S (5'-Auth) wherein the adversary impersonates a party. We denote 
by SucCp“®‘^*'^(A) (resp. SucCp“^^*^(A)) the probability that A successfully im- 
personates an A instance (resp. an S instance) in an execution of P, which means 
that S (resp. A) agrees on a key, while the latter is shared with no instance of 
A (resp. S). A protocol P is said to be (t, £)-Auth-secure if A’s success for 
breaking either A-Auth or S'-Auth is smaller than e for any adversary A running 
with time t. 

3.1 Computational DifRe-Hellman Assumption 

A (t,£)-CDHg^G attacker, in a finite cyclic group G of prime order q with g 
as a generator, is a probabilistic machine A running in time t such that its 
success probability Succ^('g(Z\), given random elements and g^ to output 
g^y, is greater than £. As usual, we denote by SucCg)'G(t) the maximal success 
probability over every adversaries running within time t. The CDH- Assumption 
states that SucCg)'G(t) < £ for any t/e not too large. 

4 Security Proof for the OMDHKE Protocol 

In this section we show that the OMDHKE protocol distributes session keys that 
are semantically-secure and provides unilateral authentication of the server S. 
The specification of this protocol is found on Figure 1. 

Theorem 1 (AKE/UA Security). Let us consider the protocol OMDHKE, 
over a group of prime order q, where Password is a dictionary equipped with the 
distribution T>pw For any adversary A within a time hound t, with less than 
qs active interactions with the parties (Send -queries) and qp passive eavesdrop- 
pings (Execute- queries), and asking qg and qu hash queries to Q and any Tii 
respectively, 

A‘^''omdhke(-^) < -|- 12 X T>pw{qs) + 12?^ X SuCCg('G(t -|- 2Te) H 

^ ^ -I- 3 X T>pyj{qs) -\- x SucCg('G(t -|- 3re) -I- — , 

where Q = qp -\- qs + qg and Te denotes the computational time for an exponen- 
tiation in G. 
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This theorem shows that the protocol is secure against dictionary attacks since 
the advantage of the adversary essentially grows with the ratio of interactions 
(number of Send-queries) to the number of passwords. 

Proof. In this proof, we incrementally define a sequence of games starting at the 
real game Go and ending up at G5. We use the Shoup’s lemma [14] to bound 
the probability of each event in these games. 

Game Gq: This is the real protocol, in the random-oracle model. We are 

interested in the two following events: 

— So (for semantic security), which occurs if the adversary correctly guesses 
the bit b involved in the Test-query; 

— Ao (for S'-authentication), which occurs if an instance A* accepts with no 
partner instance (with the same transcript ((A, X*), (S', T, Auth)).) 

Adv:lhke(^) = 2 Pr[So] - 1 SuccS"d\t (-4) = Pr[Aoj. (1) 

Actually, in any game G„ below, we study the event A„, and the restricted event 
SAin — Sn A 

Game Gi: In this game, we simulate the hash oracles {Q, Ho and Hi, but 

also additional hash functions, for z = 0, 1: : {0, 1}* ^ {0, 1}^ that will 

appear in the Game G3) as usual by maintaining hash lists Ag, An and An> 
(see Figure 2). We also simulate all the instances, as the real players would do, 
for the Send-queries and for the Execute, Reveal and Test-queries (see Figure 3). 
From this simulation, we easily see that the game is perfectly indistinguishable 
from the real attack. 



CO 

0) 

Ij 

u 


For a hash-query Hi{q) (resp. H'i{q)), such that a record (i,q,r) appears in 
An (resp. An'), the answer is r. Otherwise one chooses a random element 
r e jo, 1|^, answers with it, and adds the record (i, q, r) to An (resp. An/). 


0 


For a hash-query Q{q) such that a record (g, r, ★) appears in Ag, the answer 


?? 


is r. Otherwise the answer r is defined according to the following rule: 




► Rule gP) 


Oi 




Choose a random element r G G. The record {q, r, T) is 






added to Ag. 




Note: the third component of the elements of this list will be explained later. 



Fig. 2. Simulation of the hash functions 



Game G2: For an easier analysis in the following, we cancel games in which 

some (unlikely) collisions appear: 

— collisions on the partial transcripts ((A, A*), (S', P)). Note that transcripts 
involve at least one honest party, and thus one of X* or Y is truly uniformly 
distributed; 

~ collisions on the output of Q. 
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Fig. 3. Simulation of the OMDHKE protocol 
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Both probabilities are bounded by the birthday paradox: 

Pr[Coll2]<^^^4^ + r- (2) 

2q 2q 

Game G3: We compute the session key sk and the authenticator Auth using 

the private oracles Tig and Ti'i respectively: 

►Rule A 3 /S 3 ( 3 ) 

Compute the authenticator Auth = Ti^ (Alls'll A*||F). 

Compute the session key sUa/s = ^o(^ll‘^ll^*ll^)- 

Since we do no longer need to compute the values Ka and ATs, we can simplify 
the second rules: 

►Rule A2/S2(3) 

I Do nothing. 

Finally, one can note that the password is not used anymore either, then we can 
also simplify the generation of X* , using the group property of G: 

►Rule A1(3) 

I Choose a random element x G Zg and compute X* = g^. 

The games G3 and G2 are indistinguishable unless some specific hash queries 
are asked, denoted by event AskH 3 = AskH0wl3 V AskHl 3 : 

- AskHl3: A queries Tii(A||S'||A*||y||PW|| or Tii(A||S'||A*||r||PW|l As) 
for some execution transcript ((A, A*), (S', F, Auth)); 

- AskH0wl3: AqueriesTio(A||S||A*||r||PW|lA^)orTio(A||S||A*||r||PW||As) 
for some execution transcript ((A, A*), (S, F, Auth)), where some party has 
accepted, but event AskHl3 did not happen. 

The authenticator is computed with a random oracle that is private to the 
simulator, then one can remark that it cannot be guessed by the adversary, 
better than at random for each attempt, unless the same partial transcript 
((A, A*), (S, F)) appeared in another session with a real instance . But such 
a case has already been excluded (in Game G2). A similar remark can be led 
about the session key: 



Pr[A3] < ^ PrISAg] = ( 3 ) 

When collisions of partial transcripts have been excluded, the event AskHl 
can be split in 3 disjoint sub-cases: 

— AskHl-Passiveg: the transcript ((A, A*), (S', F, Auth)) comes from an execu- 
tion between instances of A and S (Execute-queries or forward of Send- 
queries, replay of part of them) . This means that both A* and F have been 
simulated; 
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~ AskHl-WithAs: the execution involved an instance of A, but Y has not been 
sent by any instance of S. This means that X* has been simulated, but Y 
has been produced by the adversary; 

~ AskHl-WithSa: the execution involved an instance of S, but X* has not been 
sent by any instance of A. This means that Y has been simulated, but X* 
has been produced by the adversary. 

Game G4: In order to evaluate the above events, we introduce a random 

Diffie-Hellman instance (P,Q), (with both P e G* and Q G G*, which are 
thus generators of G. Otherwise, the Diffie-Hellman problem is easy.) We first 
modify the simulation of the oracle Q, involving the element Q. The simulation 
introduces values in the third component of the elements of Ag, but does not 
use it. 

►Rule ^1(4) 

Choose a random element k G Z* and compute r = Q~^ . 

The record (q,r,k) is added to Ag. 

We introduce the other part P of the Diffie-Hellman instance in the simulation 
of the party S. 

► Rule SlW 

I Choose a random element y G Z* and compute Y = P^. 

It would let the probabilities unchanged, but note that we excluded the cases 
PW = 1 and Y = 1 : 

I Pr[AskH4] - Pr[AskH3] | < + ^ . (4) 

Game G5: It is now possible to evaluate the probability of the event AskH 

(or more precisely, the sub-cases). Indeed, one can remark that the password is 
never used during the simulation, it can be chosen at the very end only. Then, an 
information-theoretic analysis can be performed, which simply uses cardinalities 
of some sets. 

To this aim, we first cancel a few more games, wherein for some pairs 
(X*,Y) e G^, involved in a communication between an instance and ei- 
ther the adversary or an instance H*, there are two distinct elements PW such 
that the tuple {X*, Y, PW, CDHg_G(A'*/PW, P)) is in A-h (which event is denoted 
C0IIH5): 

I Pr[AskHs] - Pr[AskH4] | < Pr[CollH5]. ( 5 ) 

Hopefully, event C0IIH5 can be upper-bounded, granted the following Lemma: 

Lemma 2 . If for some pair (P*, Y) G G^, involved in a communication with an 
instance , there are two elements PWq and PWi such that (X*, P, PW^, Pi) 
are in A-h with Zi = CDHg_G(-^*/PVVi, P)), one can solve the computational 
Diffie-Hellman problem: 

Pr[CollH5] <qlx Succf ^{t -G Te). 



(6) 
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Proof. Assume there exist such elements {X*,Y = P^) G G^, PWq = Q , and 
PWi = Note that 

Zi = CDHg,G(A7PW„y) = CDHg,G(A* x Q7y) 

= CDHg,G(A*,y) X CDHg^G{Q,Yf = CDHg,G(A*,F) x CDHg^G{P,Qy'^ ■ 

As a consequence, Zi/Zq = CDHgfi{P,Q)^^^^~^°\ and thus CDHg^G(7Q) = 
(Zi/Zo)“, where u is the inverse of y{ki — ko) in Zg. The latter exists since 
PWi yf PW 2 , and y yf 0. By guessing the two queries asked to the Hi, one 
concludes the proof. □ 

In order to conclude, let us study separately the three sub-cases of AskHl and 
then AskHOwl (keeping in mind the absence of several kinds of collisions: for 
partial transcripts, for Q, and for PW in 7i-queries): 

— AskH 1 -Passive: About the passive transcripts (in which both X* and Y have 
been simulated), one can state the following lemma: 

Lemma 3. If for some pair (X*,Y) G involved in a passive tran- 
script, there is an element PW such that {X*,Y,P\N, Z) is in A-h, with 
Z = CDHg_G(-A*/PW, F)), one can solve the computational Diffie- Heilman 
problem: 

Pr[AskHl-Passiv65] < qn SucCg)'^^ + ^^e)- 

Proof. Assume there exist such elements {X* = ,Y = P^) G G^ and 
PW = Q~^ . As above, 

Z = CDHg,G(A*, Y) X CDHg,G(Q, Yf = P^y x CDHg,G(P, 

As a consequence, CDH^ g(7 Q) = {ZjP'^y')'^ , where u is the inverse of yk in 
Zq. The latter exists since we have excluded the cases where y = 0 or A: = 0. 
By guessing the query asked to the Hi, one concludes the proof. □ 

~ AskHl-WithA: this event may correspond to an attack where the adversary 
tries to impersonate S' to A (break unilateral authentication) . But each au- 
thenticator sent by the adversary has been computed with at most one PW 
value. Without any ^-collision, it corresponds to at most one pw: 

Pr[AskHl-WithA5] < TPpwiqs)- 

— AskHl-WithS: The above Lemma 2, when applied to games where the event 
C0IIH5 did not happen (and without tj-collision) , states that for each pair 
(X*,Y) involved in a transcript with an instance S^, there is at most one 
element pw such that for PW = Q{pw) the corresponding tuple is in Ayy: 
the probability over a random password is thus less than ’Dpw{qs)- As a 
consequence. 



Pr[AskHl-WithS5] < T>pw{qs)- 




156 



Emmanuel Bresson, Olivier Chevassut, and David Pointcheval 



Client 




Server 






Initialization 








pw ^ Password, PW = 


g(pw) e G 




; {0, 1} 0+ 1+ 2 


»• {0, 1} , a random function with Q 1 “1" 


2 < 






skS ^ {0, 




accept * — terminate *— false 












^ {0,1} 0, 


lldate £{0,1} 0+ 1 




, , cookie 










— cookie < — MACgj^S ( , , 


) 






accept < — terminate < — false 




Find e { 0 , 1 } 2 , ( II ) = 0 










, , , , cookie 






Z , , •>- X PW 




-*• Lock record in List 








Check whether ( , , 


) £ List? 






date is fine? ( || ) 


= 0 ? 






and cookie = MACg|^s( 


. , )? 






^ /PW, 








^ 








Auth ^-Hi( II II II 


||PW|| ) 






Auth' ^ Ha ( II II 1 


1 l|PW|| ) 






^ «o( II II II 


||PW|| ) 




, , Auth , 






«— 




— Just store ( , Auth^ , 


) in List 


7 








Auth =Hi( II II II ||PW|| ) 








if true, accept ■* — true 










, Auth , 


7 , 




Auth ^H2( II II II l|PW|| ) 




-* Auth = Auth' 








if true, accept ■< — true 




^ «o( II II II IIPWII ) 








terminate •« — true 




terminate ■« — true 





Fig. 4. An execution of the protocol OMDHKE, run between a client and a server, 
enhanced with mutual authentication and a denial-of-service protection. 



About AskHOwl (when the three above events did not happen), it means that 
only executions with an instance of S (and either A or the adversary) may lead 
to acceptation. Exactly the same analysis as for AskH 1-Passive and AskHl-WithS 
leads to Pr[AskH0wl5] < Vp^^{qs) + qn ^ SucCg('g(f -|- 2re). As a conclusion, 

Pr[AskH 5 ] < 3Vpyj{qs) + 2qu x SucCg('G(t + 2re). (7) 

Combining all the above equations, one gets the announced result. □ 

5 The DoS-resistant OMDHKE Protocol 

In a computing environment where Distributed DoS attacks are a continual 
threat, a server needs to protect itself from non-legitimate clients that will ex- 
haust its memory and computational power. Intensive cryptographic computa- 
tions (i.e. exponentiation), as well as states, are only performed after a client 
proves to the server that it was able to solve a given “puzzle” . The “puzzle” is 
chosen so that the client can only solve it by exhaustive search while the server 
can quickly checks whether a given proposition solves it. This “puzzle” is chosen 
as follows. 
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The server first picks at random a MAC-symmetric key that it will use to 
authenticate cookie] the MAC-key is used across multiple connections. The server 
then forms the authenticated cookie which is the MAC of a random nonce and 
the date, and sends it to the client. The precision of the date is determined 
according to the level of DoS required. The use of a cookie makes the protocol 
stateless on the server side. Upon receiving the cookie, the client tries to find 
an input which hashes to the NULL value. Since this hash function is seen as a 
random oracle, the only way for the client to solve this “puzzle” is to run through 
all possible prefixed strings and query the random oracle [4]. Later in practice 
this function is instantiated using specific functions derived from standard hash 
functions such as SHAl. Once the client has found such a proof of computational 
effort, it sends it back with the authenticated cookie and its Diffie-Hellman public 
value to the server. Upon receiving these values the server checks whether the 
client is launching a DoS attack by initiating several connections in parallel and 
replaying this proof of computational effort on another connection. The server 
reaches this aim by locking the cookie and not admitting the same cookie twice 
(hence the date in this challenge is used to tune the size of the database) . If all 
the checks verify, the server starts saving states and computing the necessary 
exponentiations to establish a session key. From this point on the protocol works 
as the original AuthA protocol, adding mutual authentication [2]. 

6 Conclusion 

The above proof does not deal with forward-secrecy. Forward-secrecy entails that 
the corruption of the password does not compromise the semantic security of pre- 
viously established session keys. One could easily prove that this scheme achieves 
forward secrecy, as in [8], while loosing a quadratic factor in the reduction. 

In conclusion, this paper provides strong security arguments that support the 
standardization of the AuthA protocol by the IEEE PI363.2 Standard working 
group on password-based public key cryptography . We have presented a compact 
and “elegant” proof of security for the AuthA protocol [3] when the symmetric- 
encryption primitive is instantiated using a mask generation function, which 
extends our previous work when the symmetric-encryption primitive is assumed 
to behave like an ideal cipher [8] . The security of the protocol was indeed stated 
as an open problem by its designers. In our study, the symmetric encryption 
basic block takes the form of a multiplication in the Diffie-Hellman group. Our 
result is a significant departure from previous known results since the security of 
AuthA can now be based on weaker and more reasonable assumptions involving 
both the random-oracle model and the computational Diffie-Hellman problem. 
Moreover, we investigate and propose a practical, reasonable solution to make 
the protocol secure against DoS attacks. One can also find further studies on the 
variant in which both ffows are encrypted between the client and the server in 
the full version of this paper [9]. 
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Abstract. We generalize and extend results obtained by Boneh and 
Venkatesan in 1996 and by Gonzalez Vasco and Shparlinski in 2000 
on the hardness of computing bits of the Diffie-Hellman key, given the 
public values. Specifically, while these results could only exclude (essen- 
tially) error-free predictions, we here exclude any non-negligible advan- 
tage, though for larger fractions of the bits. We can also demonstrate 
a trade-off between the tolerated error rate and the number of unpre- 
dictable bits. 

Moreover, by changing computational model, we show that even a very 
small proportion of the most significant bits of the Diffie-Hellman secret 
key cannot be retrieved from the public information by means of a Las 
Vegas type algorithm, unless the corresponding scheme is weak itself. 



1 Introduction 

So called “provable” security models, in which the robustness of a cryptographic 
tool can be justified by means of a formal proof, are gaining more and more 
attention. In such models, the security of a scheme or protocol is measured in 
terms of the chances (non-negligible advantage over a random guess) a malicious 
adversary has of retrieving information he is not supposed to have access to. 
There are already several proposals for schemes that are robust in this sense, 
some of them merely theoretical but others already deployed in practice. Much 
research has been devoted to this topic, and there is indeed a large battery of 
results for various schemes in different computational models (e.g. [2,3,9,10]). 

Since the early days of cryptography, one security property that has been 
extensively studied is the security with respect to “approximate cracking” . Ro- 
bustness in this sense is stated by proving that single bits in an encrypted mes- 
sage are no easier to obtain than the whole message itself (or other information 
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close to the secret in some metric) . General frameworks for such studies are for 
example the hard-core hit problem, first formalized in [4], and the hidden number 
problem, introduced by Boneh and Venkatesan [6,7]. 

In addition, any security property can be studied in different computational 
models, ranging from the classical Turing machine model, passive/active adver- 
saries, restricted algebraic models, up to the more recent quantum and side- 
channel attack models, the latter two being more “physical” in nature. Indeed, 
models that might seem unrealistic today could become a reality in 20 years, a 
time-span which may be required to cryptographically guard secrets in many ap- 
plications. We therefore believe it is important to keep an open mind to various 
models and investigate which implications they have. 

In this paper we extend the area of application of algorithms for the hid- 
den number problem, deriving new bit security properties of the Diffie-Hellman 
key exchange scheme. Detailed surveys of bit security results for various cryp- 
tographic schemes are given in [14]; several more recent results can be found 
in [5,6,7,15,16,17,20,22,26,27,32,34,35]. 

We show that making some adjustments to the scheme proposed in [6] and 
refined in [16], one can obtain bit security results for the Diffie-Hellman secret key 
of the same strength as in [6,16], but in a much more restricted computational 
model of unreliable oracles, which represent adversaries that only retrieve correct 
guesses for the target bits with a certain probability. We perform the study with 
two types of unreliable oracles, roughly corresponding to the classical “Monte 
Carlo” type algorithms, as well as the in cryptography less conventional “Las 
Vegas” type of algorithm. In fact, we also obtain an improvement of the result 
of [16] for “error-free” oracles, as we use the recent bound of exponential sums 
over small subgroups from [8] instead of the bound from [21] that lead to the 
result in [16]. Also, our Lemma 3 is based on a recent improvement [1] in lattice 
reduction algorithms, whereas in [16] older results were applied. 

2 Notation 

As usual we assume that for a prime p the field Fp of p elements is represented 
by the set {0,l,...,p— 1}. Accordingly, sometimes, where obvious, we treat 
elements of Fp as integer numbers in the above range. Also, for an integer s we 
denote by [sj ^ the remainder of s on division by p. 

For a real p > 0 and t G Fp we denote by MSBp^p(t) any integer which 
satisfies the inequalities 

^(MSBp.p(t) - 1) < t < |^(MSBp.p(t)). (1) 

Thus, roughly speaking, MSBp_p(t) is the integer defined by the rj most signifi- 
cant bits of t. However, this definition is more flexible and better suited to our 
purposes. In particular note that ij in the inequality (1) need not be an integer. 
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Throughout the paper log x denotes the binary logarithm of a: > 1 . The 
implied constants in the symbol “O” may occasionally, where obvious, depend 
on a real parameter e > 0 and are absolute otherwise. 

We denote by IE[^] the expected value of a random variable Accordingly, 
[ff(0] denotes the expected value of a random variable g(^), which, for a given 
function g, only depends on the distribution of We make use of the following 
variant of the Markov inequality: for positive c and a random variable ^ upper 
bounded by M, 

PrK > E«K]/c] > M-\l - l/c)IE5[e]. (2) 

3 Preparations 

Reconstructing g®** from “noisy” approximations of g°'^ can be formulated as a 
hidden number problem, [6,7]. We review important ingredients for this problem. 
In particular, we collect several useful results about the hidden number problem, 
lattices and exponential sums and establish some links between these techniques. 



3.1 Hidden Number Problem and Uniform Distribution mod p 



One of many possible variations of the hidden number problem is: 



Given a finite sequence T of elements of F*, recover a G F* for which 
for polynomially many known random t € T we are given MSB^ p(at) 
for some g > 0. 



The case of T = F* is exactly the one considered in [6,7]. However, it 
has been noticed for the first time in [16], and exploited in a series of works, 
see [11,17,26,28,29], that in fact for cryptographic applications one has to con- 
sider more general sequences T. An important issue is the uniformity of distri- 
bution of these sequences. 

For a sequence of N points 0<'di,...,'dAr<l define its discrepancy D by 



D = sup 
0 < 7 <! 



T{l) 

N 



where T{pf) is the number of points of this sequence in the interval [0,7]. 

We say that a finite sequence T of integers is A-homogeneously distributed 
modulo a prime p if for any integer a with gcd(a,p) = 1, the discrepancy Va{T) 
of the sequence of fractional parts {at/p}, t G T, satisfies T’a('A) < A. It has 
been shown in Lemma 4 of [28] that the algorithm of [6] can be modified to work 
for sequences that are Z\-homogeneously distributed modulo a prime p, provided 
A is small enough. 
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3.2 Lattices 



As in the pioneering papers [6,7], our results rely on rounding techniques in 
lattices. We briefly review a few results and definitions. For general references 
on lattice theory and its important cryptographic applications, we refer to [18] 
and also to the recent surveys [30,31]. 

A basic lattice problem is the closest vector problem (CVP): given a basis 
of a lattice L in and a target u G K®, find a lattice vector v G L which 
minimizes the Euclidean norm ||u — vjj among all lattice vectors. A modification 
where u = 0 is a zero vector (thus u G A) is the shortest vector problem (SVP): 
find a nonzero v G A of smallest Euclidean norm ||v|| among all lattice vectors. 

Here, as in [28], we use the best CVP approximation polynomial-time result 
known, which follows from the recent shortest vector algorithm of [1] combined 
with the reduction of [23] from approximating the CVP to approximating the 
SVP, which leads to the following statement: 



Lemma 1. For any constant 7 > 0, there exists a randomized polynomial time 
algorithm which, given a lattice A and a vector r G finds a lattice vector v 
satisfying with probability exponentially close to 1 the inequality 

||v-r|| < 2T'"^°si°8®/'°s®min{|lz-r||, z G A} . 



For integers t\, . . . ,td selected in the interval [0,p — 1], we denote by 
L{ti,. . . ,td) the full rank d + 1-dimensional lattice generated by the rows of 
the following (d -|- 1) x (d -|- l)-matrix 



/p 0 ...0 0 \ 

Op ... 0 0 

0 0 . . . p 0 
\tlt 2 ■■■td 1/p/ 



(3) 



Our principal tool is an extension of Lemma 4 of [28] , which in turn extends 
the algorithm of [6]. The results below are analogues of Lemmas 6.2 and 6.3 
of [35]. For applications to Diffie-Hellman we deal with sequences correspond- 
ing to small finite subgroups of F* which satisfy the above requirement of A- 
homogeneous distribution, so Lemma 4 of [28] can be applied directly to them. 



Lemma 2. Assume that a real p, and an integer d satisfy 

d{fi — log 5) > 2 logp 

and let a be a fixed integer in the interval [0, p — 1] . Assume that 1 1 , . . . ,td are 
chosen uniformly and independently at random from a finite -homogeneously 
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The rest of the proof is identical to the proof of Theorem 5 of [6], we outline 
it for the sake of completeness. 



Let us fix some integers . ,td with 



min max \\Bti — ati\\„> p2 

(mod p) zC[l,d] ^ 



(4) 



Let V be a lattice point satisfying 



1/2 



^ {Vi - Si)" 



< p2~^. 



Clearly, since v G L{ti,. . . ,td), there are integers . . ,Zd such that 

V = {pti - Zip, ... ,(3td- ZdP, P/p). 

If P = a (mod p), then we are done, so suppose that P ^ a (mod p). In 
this case, 



/d 

XI > min II/3C - Sill 

> .min^ (\\Pt^ - o:U\\p - ||s* - aC||p) 

>p2-''+i -p2-^ =p2-^ 

that contradicts our assumption. As we have seen, the condition (4) holds with 
probability exceeding 1 — 1/p and the result follows. □ 



Lemma 3. Let 1 > t > 0 be an arbitrary absolute constant and p be a prime. 
Assume that a real rj and an integer d satisfy 



p > 



X / 2 " 

log p log log log p\ ' 
log log p J 



and d= \5logp/p] . 



Let T be a sequence of 2~^ -homogeneously distributed integers modulo p. There 
exists a probabilistic polynomial-time algorithm A such that for any fixed integer 
a G F/, given 2d integers 

ti and Si = {atp , i = 1, . . . ,d, 

its output satisfies for sufficiently large p 

Pr[A{m,ti,. . . ,td]Si, . . . ,Sd) =a]> l-p“\ 

with probability taken over all ti,. . . ,td chosen uniformly and independently at 
random from the elements of T and all coin tosses of the algorithm A. 
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Proof. We follow the same arguments as in the proof Theorem 1 of [6] which we 
briefly outline here for the sake of completeness. We refer to the first d vectors 
in the defining matrix of L (fi, . . . , td) as p- vectors. 

Multiplying the last row vector (ti, . . . ,td, 1/p) of the matrix (3) by a and 
subtracting certain multiples of p-vectors, we obtain a lattice point 

u„ = (mi, . . . , Ud, a/p) G T (ti, . . . ,td) 
such that \ui — Si| < p2“’*, z = 1, . . . , d + 1. Therefore, 

{ d-\-l 'l d-\-l 

{Zi - Si)^ , z = {zi, . . . ,Zd,Zd+i) > < (d+ l)p^2“^’'. 

i=l J i=l 



Let /i = r]/2. One can verify that under the conditions of the theorem we 
have, 

(d + l^log log|d + ^ and d(p-log5) > 21ogp. 

Now we use the algorithm of Lemma 1 with s = (si,... ,Sd,0) to And in 
probabilistic polynomial time a lattice vector 



v= (ui,... ,Vd,Vd+i) G ,td) 



such that 



(d XV2 

- Si)^ I < 2° 0(d+l)loglog(d+l)/log(d+l)p('^_^ j^^l/22-r, < 

provided that p is sufficiently large. We also have 

( (ztj - ) <pd^/^2 ''<p2 ^ ^ 



Therefore, 



1/2 



^ {Ui - v,Y 



< p2"^. 






Applying Lemma 2, we see that v = with probability at least 1 — 1/p, 
and therefore, a can be recovered in polynomial time. □ 



3.3 Distribution of Exponential Functions Modulo p 

To apply the results above, we will need to establish approximate uniform distri- 
bution of sequences of form = (/" , z = 1, 2, — A procedure to establish such 
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results in general is to bound certain exponential sums, related to the sequences 
under consideration. 

The following statement is a somewhat simplified version of Theorem 4 of [8] 
and greatly improve several previously known bounds fron [21,25], which have 
been used in [16]. 

Lemma 4. For any e > 0 there exists i5 > 0 such that for any element g €¥p 
of multiplicative order T > we have 

T-l 

max exp (27ric(/®/p) 

gcd(c,p) = l 

X — V 

Using Lemma 4 and arguing as in [16], we derive the following statement. 

Lemma 5. For any £ > 0 there exists (5 > 0 such that for any element g €¥p of 
multiplicative order T > p^ the sequence g^ , x = 1, . . . ,T , is p~^ -homogeneously 
distributed modulo p. 

4 Bit Security of the DifRe-Hellman Scheme 

Let us fix an element g G F* of multiplicative order q, where q is prime. We 
recall that classically, breaking the Diflie-Hellman scheme means the ability to 
recover the value of the secret key g^^ from publicly known values of g^ and g^ 
(with unknown x and y, of course). 

The attacker, however, may pursue a more modest goal of recovering only 
partial information about the secret g^^ . For instance, the Legendre symbol of 
g^"^ is trivially deducible from that of g^,g^ ■ If only part of g^^ is used to derive 
a key for a secret key cryptosystem, this may be harmful enough. The purpose 
of the hit security results is to show that deriving such partial information is as 
hard as finding the whole key, which is believed to be infeasible. 

It has been shown in [6,16] that recovering (without significant errors) about 
log^^^ p most significant bits of g^^ for every x and y is not possible unless the 
whole scheme is insecure. 

However, it is already dangerous enough if the attacker possesses a proba- 
bilistic algorithm which recovers some bits of g^"^ only for some, not too small, 
fraction of key exchanges. Here we obtain first results in this direction. We con- 
sider two types of attacking algorithms: 

~ more traditional Monte Carlo type algorithms where our results are weaker in 
terms of number of bits, but stronger in error-tolerance than those of [6,16]; 
~ more powerful Las Vegas type algorithms where, given such an algorithm, 
our results are stronger than the case of deterministic algorithms obtained 
in [6,16]. Cryptographic security of other schemes in this model has been 
studied in [27]. 
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In fact, it is more convenient to treat a possible attacking algorithm as an 
oracle which, given and returns, sometimes, some information about g^"^ . 
Accordingly, our purpose is to show that having such an oracle one can recover 
the secret key completely. 

In the sequel, to demonstrate our arguments in the simplest situation we 
restrict ourselves to the case of most practical interest, that is, g generating a 
sub-group of prime order q. 



4.1 Monte Carlo Type Attacks 

Given positive g and 7, we define the oracle as a “black box” which, 

given g^,g^ G F*, outputs the value of with probability 7, taken 

over random pairs (x,y) G (and possible internal coin-flips), and outputs an 
arbitrary value otherwise. 

That is, is a Monte Carlo type oracle which sometimes outputs some 

useful information and otherwise returns a wrong answer following any distri- 
bution. This is qualitatively thus the same type of oracles considered in [6,16]. 

Theorem 1. For any £ > 0 such that the following statement holds. Let (5 > 0 
he an arbitrary positive number and let 

V = [<51ogp] . 

For any element g G ¥* of multiplicative order q > p^ , where q is prime, 
there exists a probabilistic algorithm which, in time polynomial in logp and 
(0.257)“^^'^ log 7“^, for any pair {a, b) G Z^, given the values of g°',g^ G Fp, 

makes the expected number of O log 7“^ log log calls to 

the oracle and computes g°“^ correctly with probability 1-1-0 (log~^p). 

Proof. Put d = [Slogp/ry] < -I- 1. Given g^,g^ the oracle returns 

MSBp^p (g^^) with probability 7. We define an algorithm, 0{g^ ,g^), which uses 
as a black box and retrieves g^"^ with non-neglible probability, p. We then 
apply a result by Shoup, [33], to this O, and get an algorithm which retrieves 
g^y almost surely. In the following we define and analyze O. 

By randomizing the second component input to g^ , we hope to hit a 

set of “good” values of y, for which we have a sufficient advantage, taken over x 
only. We then query by randomizing the g®-component, keeping y fixed. 

Let 7y be the average success probability of g^), taken over random 

X for a given y. Thus, IEp[7p] = 7. Let us define k = ]"log(2/7)] and say that y is 
j-good if 7p G [2~^ j = 1,2,. . . ,k, and let Sj = {y | p is j-good} (thus 

we do not care about y for which 7^ < 7/2). By the Markov inequality, (2), 

Pr[ 7 !/ > 7/2] > 

y Z 



( 5 ) 
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distributed integer sequence T modulo p. Then with probability P > 1 — 1/p for 
any vector s = (si, . . . , sd, 0 ) with 

/ d 1/2 



XI <P2 



all vectors v = {v\, . . . ,Vd, fd+i) G L (fi , ... ,td) satisfying 

1/2 






are such that 

Vi = PU (mod p), i=l,... ,d, Vd+i = P/p 

with some P = a (mod p) . 

Proof. We define the modular norm of an integer 7 modulo p as 

II 7 L = min|7- 

^ hC. //. 



For any 7 such that 7^0 (mod p) the probability P{"i) of 

h%>p2-^+^ 

for an integer t chosen uniformly at random from the elements of a Z\-homo- 
geneously distributed sequence modulo p is 

P{l) > 1 - 2"'"+^ - Z\. 



Thus for the 2 i“-homogeneously distributed sequence modulo p, T, we have 

P{l) > 1- 



Therefore, for any P ^ a (mod p), 



Pr 



I WPti- atiW >p2 1*+^ = 1 - {1 - P{P - a))‘^ >1 




where the probability is taken over integers t\, . . . ,td chosen uniformly and in- 
dependently at random from the elements of T. 

Since for /3 ^ a (mod p) there are only p — 1 possible values for the residue 
of P modulo p, we obtain 

Pr|^V/3^a (modp),3i G [l,d] I ||/3ti -abllp 

because of the conditions of the theorem. 
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We claim that there must exist j as above for which Pry[y G Sj] > 2^ 
If this was not the case, by (5), we would get the following contradiction: 




k 

Pr[y 

f ^ y 

i=i 



G SA < 



i=i 



- 1+1 



21-27 

k 



1 

2 ' 



Now, given g“, g^, the algorithm O starts by choosing a random v G’Lq. Next, 
choose d independent random elements u\, . . . ,Ud G and query the oracle 
with ^“+“ and (the fixed) . After that we apply the algorithm of 
Lemma 3 to the obtained answers, and the value returned is finally output by 
O. To analyze this, note that if y = v + b\s j-good for some j, the oracle 
with probability 2 “!^ returns the correct values of 

s, = MSB^.p )(*-+")) = MSB^,p(at,) 

for every i = 1, . . . ,d, where a = and U = Since q is prime, 

are distinct and applying Lemma 5 we see that the algorithm of 
Lemma 3 then finds a (and thus also = ag~°‘^) with probability 1 — 1/p. 

The above procedure performs as stated with probability at least 2“i^ Pr„ [w+ 
b G S'j]. As we have seen, there must be a j for which Pr„[v + 6 G S'j] > 21 - 27 /fc, 
so O succeeds with probability at least 

72 - 1 ^-^) 72 -'=(^- 1 ) 72“(l°s(2/7) + l)(d-l) ^d2~"2d-l 

^ 81 og( 2 / 7 ) ^ log( 2 / 7 ) ’ 

which is 17 ^(0.257)®"^ log • The above algorithm satisfies the definition 
of faulty Diffie-Hellman oracle given in [33]. Therefore, applying Corollary 1 
of [33] (with £ = p and a = 1/logp in the notations of [33]) we finish the proof. 

□ 



We remark that the proof of Theorem 1 only relies on the existence of a 
“good” j, but we stress that it is also possible to efficiently find this j and a 
corresponding v such that u + 6 is indeed j-good. To this end, choose a random 
V, and query the oracle on inputs of the form for random, independent 

r. Since r, v, and p** are known, so is the corresponding Diffie-Hellman secret 
g(b+v)r^ This means that we for each r can check if the oracle is correct on this 
input. Repeating this for polynomially many independent r, we get a sufficiently 
good approximation of ■jv+b, on which we can base the decision on whether v + b 
is “good” or not, see also the proof of Theorem 2. 

Obviously, the algorithm of Theorem 1 remains polynomial time under the 
condition <5“^ log 7 “^ = O(loglogp). For example, for any fixed (5 > 0 (that is, 
when 7 corresponds to l7(logp) bits) the tolerated rate of correct oracle answers 
can be as low as 7 = l7(log-"^p) with some constant A > 0. On the other hand, 
if the oracle is correct with a constant rate 7 , then it is enough if it outputs 
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rj = 0 {logp/ loglogp) bits. This range can be compared to the original works 
in [6,16], which apply with only 0(log^^^ p) bits from the oracle, but on the other 
hand requires the rate of correct answers to be 7 = 1 + o(l). 



4.2 Las Vegas Type Attacks 

We now turn to the more powerful type of oracles. Given positive 7 and A, we 
define the oracle as a “black box” which, given g^,g^ G F*, outputs the 

value of with probability at least log“"^p, (taken over random 

pairs (x,y) G and possible internal coin-flips), and outputs an error audit 
message, _L, otherwise. 

That is, is a Las Vegas type oracle which outputs some useful (correct) 

information non-negligibly often and never returns a wrong answer (but rather 
gives no answer at all). Again, the case of A = 0 quantitatively corresponds to 
the “error- free” oracle which has been considered in [6,16]. 



Theorem 2. For any e > 0 the following statement holds. Let 

/ T log p log log logp 
^ V loglogp 

where t > Q is an arbitrary absolute constant. For any element 5 G F* of multi- 
plicative order q > p®, where q is prime, there exists a probabilistic polynomial 
time algorithm which for any pair (a,b) G Z^, given the values of g°',g^ G Fp, 
makes the expected number 0/ O ((log loglogp) calls to the oracle 
DHp )]4 and computes g°"^ correctly with probability 1-1-0 Tlog^^^p^ . 




Proof. The proof is similar to that of Theorem 1, though for simplicity, we use 
a slightly rougher estimate. Let 7 = log“^ p and let 7^ be as in the notation of 
the proof of Theorem 1 . 

To find u G Zg with at least 7„+b > 7/4 choose a random u G Zg. We check 
whether b = ±v (mod q), in which case we are done. Otherwise we choose 
N = [207“^ log 7“^] independent, random elements ui, . . . , un G Zq and query 
the oracle with g“+" and g^~^'". If the oracle returns K > 7 A/2 queries 

then 7„+b >7/4 with probability 1 -I- O (7). Indeed, by the Chernoff bound, see 
for example Section 9.3 of [24], we get that if 7t,+b < y/4 then even after 



M = 



log(2/7) 

Iv+b 



> N 



the oracle returns at most 2M7„_|_h < K queries with probability at least 1 — 7. 

By the Markov inequality (5), we see that after the expected number of 27“^ 
random choices of v we find v with 7t,+b >7/4 with probability 1-1-0 (7). 
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For this v we re-use the first d = [Slogp/ryJ replies of the oracle 
which have been used for testing whether 6 -|- u is “good” (if K > d) or get d— K 
additional replies (if K < d, which will not happen for interesting 7 ). Thus we 
get d values 

s, = MSB^.p )('-+”)) = MSB^,p(at,) 

where a = and tt = 1^+’'), i = 1 , . . . , d. Applying Lemma 5 we see 

that the algorithm of Lemma 3 finds a with probability at least 1 — 1/p. Finally 
we compute = ag~°‘'". □ 

A recent paper by Hast [19] studies an oracle model which falls somewhere in 
between Monte Carlo and Las Vegas oracles. Specifically, [19] considers oracles 
which, for some e,S € [0, 1], output _L with probability 1 — d, and where non-_L 
answers are correct with advantage £. Our Las Vegas oracles thus correspond to 
ones with non-negligible S and the extreme case of e = 1. For the specific case of 
Goldreich-Levin [13] based pseudo-random bit generator. Hast [19], shows that 
for a given (non-negligible) success-rate, the existence of oracles with small 6 
would indeed be more serious than existence of traditional oracles, (for which 
6 = 1). Perhaps not surprisingly, Theorems 1 and 2 demonstrate this for the 
case of the Diffie-Hellman scheme, by comparing the complexity of the respective 
reductions. 



5 Summary 

We have extended existing hardness results on the Diffie-Hellman scheme to 
tolerate higher error-rates in the predictions, by a trade-off on the number of 
bits predicted. We also studied an alternative (and much stronger) computational 
prediction-model whose realization, albeit less likely than more classical models, 
would have more severe impact on the security of Diffie-Hellman. The idea to 
consider Las Vegas type attacks in these setting appears to be new and definitely 
deservers further studying. 

We remark that the analysis using Las Vegas type predictors can be applied 
to the study of RSA as well, for instance, when analyzing the use of RSA to 
send reasonably short bit strings with random padding. (In particular, results 
concerning Z\-homogeneous distribution generalize to composite moduli) . Quali- 
tatively, such results could of course also have been derived from the bit security 
results in [20]. Nevertheless, the significantly tighter reductions possible from a 
Las Vegas oracle show (as one would expect) that the existence of such an oracle 
would indeed also be quantitatively more severe for the security of RSA. 

Of course, the most intriguing open problem remains: show that even single, 
individual bits of the Diffie-Hellman scheme are hard to approximate. 
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Abstract. In this paper, we study short exponent DifBe-Hellman prob- 
lems, where significantly many lower bits are zeros in the exponent. We 
first prove that the decisional version of this problem is as hard as two 
well known hard problems, the standard decisional Diffie-Hellman prob- 
lem (DDH) and the short exponent discrete logarithm problem. It implies 
that we can improve the efficiency of ElGamal scheme and Cramer-Shoup 
scheme under the two widely accepted assumptions. We next derive a sim- 
ilar result for the computational version of this problem. 



1 Introduction 

The discrete logarithm (DL) problem and the Diffie-Hellman (DH) problems are 
basis of many applications in modern cryptography. 



1.1 Previous Works on DL Problem 

Blum and Micali [1] presented the first cryptographically secure pseudo-random 
bit generators (PRBG) under the DL assumption over Z*, where p is a prime. 
Long and Wigderson [6], and Peralta [9] showed that up to O (log log p) pseudo- 
random bits can be extracted by a single modular exponentiation of the Blum- 
Micali generator. 

The discrete logarithm with short exponent (DLSE) assumption is also use- 
ful. It claims that the DL problem is still hard even if the exponent is small. 
Van Oorschot and Wiener studied under what condition the DLSE assumption 
remains difficult (Their concern was to speed-up the key agreement method of 
Diffie-Hellman) [12]. They showed that the known attacks are precluded if safe 
primes p are used for Z* (that is, p — 1 = 2g for a prime q) or prime-order 
groups are used. Especially, the latter is highly recommended. Under the DLSE 
assumption, Patel and Sundaram [8] showed that it is possible to extract up to 
n — O' (log n) bits from one iteration of the Blum-Micali generator by using safe 
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primes p, where n is the bit length of p. Gennaro [4] further improved this result 
in such a way that each full modular exponentiation can be replaced with a short 
modular exponentiation. 

1.2 Our Contribution on DH Problems 

Let Gq be a finite Abelian group of prime order q. Let g be a generator, that is, 
Gq = {g). Then the computational Diffie-Hellman (CDH) problem is to compute 
g°'^ from (g,g‘^,g^)- The decisional Diffie-Hellman (DDH) problem is to distin- 
guish between {g ^ g°“ , g^ t g°“^) and {g,g'^,g^,g'^), where a,b and c are uniformly 
and randomly chosen from Zq. 





Short exp « Full exp 


Short DL 


\Z*\ = even 


Gennaro [4] 


Application to PRBG [8,4] 



Table 1. Previous works over Z* 





Short « Full 


Short exp. DDH 


Short exp. GDH 


\Gq\ — prime 


This paper 


DDH-hShort DL 
Application to encryption 


GDH-hShort DL 
Application to OT 



Table 2. Our work over Gq 



In this paper, we study short exponent variants of the DDH problem and 
the CDH problem over Gq, where significantly many lower bits are zeros in 
the exponent. More precisely, the short exponent DDH problem has two sub- 
problems, a (Short, Full)-DDH problem in which a is small, and a (Short, Short)- 
DDH problem in which both a and b are small. The short exponent CDH problem 
has two sub-problems, similarly. 

We first prove that each of the short exponent DDH problems is as hard 
as two well known hard problems, the standard DDH problem and the DLSE 
problem. That is, we show our equivalence: 

(Short, Full)-DDH (Short, Short)-DDH DDH + DLSE. 

To prove these equivalence, we show that short exponents {g^ \ s is small} 
and full exponents {g^ \ x G Zq} are indistinguishable under the DLSE assump- 
tion over prime-order groups Gq. A similar result was proved for Z* by Gennaro 
[4] based on [8], where p is a safe prime. Our proof shows that the indistin- 
guishability can be proved much simpler over Gq than over Z* . (Remember that 
prime-order groups are highly recommended for the DLSE assumption by van 
Oorschot and Wiener [12]. It is also consistent with the DDH problem which is 
defined over prime-order groups.) 

Our result implies that we can improve the efficiency of ElGamal encryption 
scheme and Cramer-Shoup encryption scheme directly under the two widely ac- 
cepted assumptions, the DDH assumption and the DLSE assumption. Indeed, we 
present such variants of ElGamal scheme and Cramer-Shoup scheme. They are 
much faster than the original encryption algorithms because short exponents are 
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used instead of full exponents. (Remember that under the DDH assumption, El- 
Gamal encryption scheme [3] is secure in the sense of indistinguishability against 
chosen plaintext attack (IND-CPA) and Cramer-Shoup scheme [2] is secure in 
the sense of indistinguishability against chosen ciphertext attack (IND-CCA).) 

We next show a similar result for the CDH problem. That is, we prove the 
equivalence such that 

(Short, Full)-CDH (Short, Short)-CDH CDH + DLSE. 

This result implies that we can improve the efficiency of the oblivious transfer 
protocols of [7,5] under the CDH assumption plus the DLSE assumption. 

We believe that there will be many other applications of our results. 

2 Preliminaries 

2.1 Notation 

jxj denotes the bit length oi x. x Gr X means that x is randomly chosen from a 
set X. We sometimes assume the uniform distribution over X. Throughout the 
paper, an ’’efficient algorithm” means a probabilistic polynomial time algorithm. 

Let n denote the bit length of q, where q is the prime order of Gq. Let 
c = o;(logn). It means that 2° grows faster than any polynomial in n. Let 
lsbk{z) be the function that returns the least significant k bits of z and msbk(z) 
the function that returns the most significant k bits of z. If we write b = msbk(z), 
we sometimes mean that the binary representation of b is msbk{z). 

2.2 Discrete Logarithm with Short Exponent (DLSE) Assumption 

Let f{g,z) = (g,g^), where g is a generator of Gq. The discrete logarithm (DL) 
problem is to compute the inverse of /. The DL assumption says that the DL 
problem is hard. 

We next define the discrete logarithm with short exponent (DLSE) problem 
as follows. Let m||0”“'”) = {g,g“^^^ ), where |m| = c and || denotes con- 
catenation. That is, the exponent of is short. Then the DLSE problem 

is to compute the inverse of /®®. The DLSE assumption says that the DLSE 
problem is hard. Formally, 

Assumption 1. (DLSE assumption) There exists no efficient algorithm which 
solves the DLSE problem with non-negligible probability. 

3 Short EXP « Full EXP 

In this section, we prove that full exponents and short exponents are indistin- 
guishable under the DLSE assumption. More formally, define Ag and A„_c as 

^0 = {{g,g'") \ X G Rq} and A^-c = {{g, g"") \ x G Rn-c}, 
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where 

Ro = {u \ 0 < u < q} and Rn-c = | 0 < < q}. 



Theorem 1. Aq and An-c are indistinguishable under the DLSE assumption. 

A proof is given in Appendix A. We show a sketch of the proof here. For 
1 < i < n — c, let 

Ai = I X G Ri}, where Ri = {2*m | 0 < 2*m < q}. 

Suppose that there exists a distinguisher D which can distinguish An-c from 
Aq. Then by using a hybrid argument, there exists j such that Aj and Aj+i are 
distinguishable. 

We will show that (i) the j can be found in polynomial time and (ii) the 
DLSE problem can be solved by using the {D,j). We briefly sketch below how 
to solve the DLSE problem by using the (D,j). (Remember that the DLSE 
problem is to And x from (g,g^) in A„-c-) 

1. The difference between Aj and Aj+i appears in the (j + l)-th least significant 
bit bjj-i of exponents x. That is, 

, _ f {9,9"") & Aj\Aj+i 

\0z/(5,ff")G A,+i 

Hence we can show that (D,j) can be used as a prediction algorithm of bj+i. 

2. We can compute from g^ because the order of Gq is a prime q. This 
enables us to use {D,j) to predict all higher bits of x as well as bj+i (except 
several most significant bits 7 ). 

3. Suppose that {g,y) € A„-c is given, where y = . In order to And 

the bi = lsbi{v), we carefully randomize y so that the exponent is uniformly 
distributed over Rj. For this randomization, we need to search some most 
significant bits 7 of w exhaustively, but in polynomial time. 

4. After all, by taking the majority vote, we can And 61 = lsbi(v) with over- 
whelming probability. Next let 

where v = u^|| 6 i. Applying the same process, we can And lsbi(v') similarly. 
By repeating this algorithm, we can Anally And v with overwhelming prob- 
ability. 

4 {Short, Full)-DDH = Standard DDH + DLSE 

The standard DDH assumption claims that 

Bo = {{ 9 , 9 '', 9 ^, 9 ''^) \ X & Zq,y e Zq} and 
C'o = {( 5 , 5"", 5^, s'") \ X G Zq,y G Zq,Z € Zq} 
are indistinguishable. 
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We now define the (Short, Full)-DDH assumption as follows. Let 

Bn-c = I X G Rn-c,y G Zq} and 

C„-c = {{9,9'",g^,9'') I X G Rn-c,y & Zq,z€ Zq}, 

where c = w(logn) with n = |g|. The (Short, Full)-DDH assumption claims that 
Bn-c and Cn-c are still indistinguishable. Note that x is short and y is of full 
length. 

We then prove the (Short, Full)-DDH assumption is equivalent to the stan- 
dard DDH assumption and the DLSE assumption. We first show that the stan- 
dard DDH assumption and the DLSE assumption implies the (Short, Full)-DDH 
assumption. 



Theorem 2. Suppose that the DDH assumption and the DLSE assumption are 
true. Then the (Short, Full)-DDH assumption is true. 



Proof. From Theorem 1, Aq and A„-c are indistinguishable under the DLSE 
assumption, where 

Ao = {(9,9"^) I X € Ro} and A„-c = {(g, g"^) j x € Rn-c}- 



First it is clear that Co and Cn-c are indistinguishable because y and z are 
random independently of x. 

Next we prove that Bq and Bn-c are indistinguishable. Suppose that there 
exists a distinguisher D which distinguishes Bn-c from Bq. Then we show that 
there exists a distinguisher D' which distinguishes An-c from Aq. On input 
{g,g^), D' chooses y G Zq a,t random and computes and {g^y . D' then gives 
Ig.g'^^g'^ygyy to D. Note that 






Bo if {g,gy &R Ao, 

Bn-c if (ff)5 ) An—c 



D' finally outputs the output bit of D. Then it is clear that D' can distinguish 
An-c from Ao. However, this is against Theorem 1. Hence Bq and Bn-c are 
indistinguishable. 

Consequently we obtain that Bn-c ^ Bo ^ Co ^ Cn-c, where « means 
indistinguishable. {Bo « Co comes from the standard DDH assumption.) There- 
fore, Bn-c and Cn-c are indistinguishable. □ 



We next show that the (Short, Full)-DDH assumption implies the standard 
DDH assumption and the DLSE assumption. 

Theorem 3. Suppose that the (Short, Full) -DDH assumption is true. Then the 
DDH assumption and the DLSE assumption are true. 

Proof. First suppose that there exists an efficient algorithm M which can solve 
the DLSE problem with some non-negligible probability e. Then we show that 
there exists a distinguisher D between Bn-c and Cn-c- 
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On input {g,g^ ,a), D gives g^ to M. If M does not output x correctly, 
then D outputs a random bit b. Suppose that M outputs x correctly. Then D 
outputs b such that 



f 1 zf a = ig^Y 
[oif a 



Then it is easy to see that D distinguishes between B„_c and C„-c- 

Next suppose that there exists a distinguisher Dq which breaks the DDH 
assumption. Then we show that there exists a distinguisher D\ which breaks the 
(Short, Full)-DDH assumption. 

Let {g , g^ , g^ T gY be an input to Hi, where a = xy mod q or random. D\ 
chooses r yf 0 at random and gives {g, {g^Y ^ g^ YgY^) to Dq. It is easy to see 



that 



{g,{gT,gY{gYl &r 



Bo if {g,g'^,g'^,gY &r -Sn-c 
C'o if {g,g"',g^,gY &r C„_c. 



Finally Di outputs the output bit of Dq. Then it is clear that Hi distinguishes 
between H„_c and Cn-c- □ 



From Theorem 2 and Theorem 3, we obtain the following corollary. 

Corollary 1. The (Short, Full)-DDH assumption is equivalent to both the DDH 
assumption and the DLSE assumption. 



5 Extension to (Short, 5 '/iort)-DDH 

We define the (Short, S'/iort)-DDH assumption as follows. Let 

B'„-c = {{g, g"^, g^, g"^^) I x G y G i?„_J and 
^n—c ~ {(ffj g 1 g^ 1 g ) \ ^ ^ Rn—c^ y G Rn—cj Z G ZqY 

Then the (Short, S'/iort)-DDH assumption claims that and are indis- 
tinguishable. Note that both x and y are short in B(_^ and C'^-c- 

We first show that the (Short, Full)-DDH assumption implies the (Short, 
Short)-DDH assumption. 

Theorem 4. Suppose that the (Short, Full) -DDH assumption is true. Then the 
(Short, Short) -DDH assumption is true. 

Proof. First suppose that the (Short, Full)-DDH assumption is true. From The- 
orem 3, both the DLSE assumption and the DDH assumption are true. From 
Theorem 1, Aq and are indistinguishable. Then it is clear that Cn-c and 

are indistinguishable because x and z are random independently of y. 
Next we prove that H„_c and B'^_^ are indistinguishable. Suppose that there 
exists a distinguisher H which distinguishes H„_c and B'^_^. Then we show that 
there exists a distinguisher H' which distinguishes An-c from Aq. On input 
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(g,g^), D' chooses x G Rn-c at random and computes g^ and {g'^Y ■ D' then 
gives {g,g^,g^,(9^Y) to D. Note that 



{g,gYgY{gYY^R 



Bn-c if {g,gY &R Ao, 

B'n-c if {g,gY &R An-c 



D' finally outputs the output bit of D. Then it is clear that D' can distinguish 
An-c from Aq. However, this contradicts that Aq and are indistinguishable. 
Hence B^-c and B'^_^ are indistinguishable. 

Consequently we obtain that 



where 

able. 



B'n-e'^ 



Bji — n ~ Cji — r 



C' 

^n—c^ 



means indistinguishable. Therefore, B'^_^ and C'^_^ are indistinguish- 

□ 



We next show that the (Short, Short)-DDH assumption implies the (Short, 
Full)-DDH assumption. 



Theorem 5. Suppose that the (Short, Short)-DDH assumption is true. Then 
the (Short, Full)-DDH assumption is true. 



Proof. First suppose that the (Short, Full)-DDH assumption is false. Then, from 
Theorem 2, either the DDH assumption or the DLSE assumption is false. 

Further suppose that the DLSE assumption is false. That is, there exists an ef- 
ficient algorithm M which can solve the DLSE problem with some non-negligible 
probability e. Then we show that there exists a distinguisher D between B(_^ 
and C;_^. 

On input {g,g^ ,g^ ,a), D gives g^ to M. If M does not output x correctly, 
then D outputs a random bit b. Suppose that M outputs x correctly. Then D 
outputs b such that 

,^i^ifa= {gY"" 

\0z/a^(5T- 

Then it is easy to see that D distinguishes between B'.^_^ and C(_^. 

Next suppose that the DDH assumption is false. That is, there exists a distin- 
guisher Dq which breaks the DDH assumption. Then we show that there exists 
a distinguisher Di which breaks the (Short, Short)-DDH assumption. 

Let {g , g^ , g^ , gY be an input to Di, where a = xy mod q or random. D\ 
chooses ri,T 2 yf 0 at random and gives {g, to Dq. It is 

easy to see that 






Boif {g,gYgYgY &rB'^_,, 

Co if Gfl C'^-c- 



Finally Di outputs the output bit of Dq. Then it is clear that Di distinguishes 
between B(^_^ and C(j_„,. □ 



Corollary 2. The (Short, Short)-DDH assumption is equivalent to the (Short, 
Full) -DDH assumption. 
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From Corollary 1, we obtain the following corollary. 

Corollary 3. The (Short, Short)-DDH assumption is equivalent to both the 
DDH assumption and the DLSE assumption. 

6 Short Computational DH 

Remember that the computational Diffie-Hellman (CDH) problem is to compute 
gxy from g,g^,gy, where x,y G Zq. The CDH assumption says that the CDH 
problem is hard. 

In this section, we introduce two variants of the CDH assumption, (Short, 
Full)-CDH assumption and (Short, Short)-CDH assumption. We then prove that 
each of them is equivalent to the standard CDH assumption and the DLSE 
assumption. 

Short variants of the CDH assumption are defined as follows. 

Assumption 2. ((Short, Full)-CDH assumption) There exists no efficient al- 
gorithm for computing g^^ with non-negligible probability from g,g^,gy, where 
X G Rn-c and y G Zq. 

Assumption 3. ((Short, Short)-CDH assumption) There exists no efficient al- 
gorithm for computing g^^ with non-negligible probability from g,g^,gy, where 
X G Ryi—c and y G R^—c- 

We first show that the standard CDH assumption and the DLSE assumption 
imply the (Short, Full)-CDH assumption. 

Theorem 6. Suppose that the CDH assumption and the DLSE assumption are 
true. Then the (Short, Full)-CDH assumption is true. 

Proof. Suppose that there exists an efficient algorithm A which computes g^^ 
from g,g^,gy such that x G Rn-c and y G Zq. 

If the CDH problem is easy, then our claim holds. Suppose that the CDH 
problem is hard. We then show an efficient algorithm B which distinguishes be- 
tween A(j and An-c- On input {g, g^), B chooses y G Zq randomly and computes 
gy. B gives (g,g^,g^) to A. Suppose that A outputs z. B checks if z = (g®)^. 

Now from our assumption, if (g, g^) G A„_c, then z = g^y with non-negligible 
probability. If (g,g^) G Ag, then z = with negligible probability. This means 
that B can distinguish between Ag and An-c- From Theorem 1, this means that 
the DLSE assumption is false. □ 

We can prove the converse of Theorem 6 similarly to Theorem 3. Therefore, 
we obtain the following corollary. 

Corollary 4. (Short, Full) -CDH = Standard CDH -h DLSE. 

We next show that the (Short, Short)-CDH assumption is equivalent to the 
standard CDH assumption and the DLSE assumption. 
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Theorem 7. (Short, Short)-CDH = Standard CDH + DLSE. 

The proof is based on the same argument for the (Short, Full)-CDH assump- 
tion and the random self-reducibility of the discrete logarithm problem. The 
details will be given in the final paper. 

7 Applications 

In this section, we present fast variants of ElGamal encryption scheme and 
Cramer-Soup encryption scheme. Each variant uses a short random exponent 
r such that r is essentially c bits long, where c = w(log |g|) and q is the order of 
the underlying group. 

Note that computing g'" requires at most 2c modulo multiplications in our 
variants while it requires at most 2n modulo multiplications in the original al- 
gorithms. Hence our variants are much faster than the original encryption algo- 
rithms. 

We can prove their security easily from our results. They are semantically 
secure under the DDH assumption and the DLSE assumption (i.e., our variant 
of ElGamal scheme is IND-GPA and our variant of Gramer-Shoup scheme is 
IND-GGA, respectively). They are one-way under the GDH assumption and the 
DLSE assumption. 

7.1 Security of Public Key Cryptosystem 

A public key encryption scheme is called one-way if it is hard to compute the 
message m from a public key pk and a ciphertext C. 

The security in the sense of indistinguishability is defined as follows. Gonsider 
the following model of adversaries. In the find stage, the adversary chooses two 
messages mo, wi on input pk. She then sends these to an encryption oracle. The 
encryption oracle chooses a random bit b, and encrypts rrii,. In the guess stage, the 
ciphertext Cb is given to the adversary. The adversary outputs a bit b' . We say 
that the public key cryptosystem is secure in the sense of indistinguishability 
against chosen plaintext attack (IND-GPA) if | Pr(6' = b) — 1/2 1 is negligibly 
small (as a function of the security parameter). 

The security against chosen-ciphertext attack (IND-GGA) is defined similarly 
except for that the adversary gets the decryption oracle and is allowed to query 
any ciphertext C, where it must he C ^ Cb in the guess stage. 

7.2 (Short, Full) ElGamal Encryption Scheme 

ElGamal encryption scheme is (1) one-way under the GDH assumption and (2) 
IND-GPA under the DDH assumption. Now our variant of ElGamal encryption 
scheme is described as follows. 

(Key generation) Ghoose a generator Gq and x G Zq randomly. Let g = ) 2/ = 

g^. The public key is {g,y) and the secret key is x. 
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(Encryption) Given a message m G G, first choose r such that 2” G Rn-c 
randomly. Next compute ci = (= ’’),C2 = my^ . The ciphertext is (ci, C2). 

(Decryption) Given a ciphertext (ci,C2), compute 

C2/CI = my-/{g^ ~ ^ ~ ’ T = m. 

Note that the encryption is very efficient because small r is used. The security 
is proved as follows. 

Theorem 8. The above scheme is still one-way under the CDH assumption and 
the DLSE assumption. 

Theorem 9. The above scheme is still IND-CPA under the DDH assumption 
and the DLSE assumption. 

7.3 (Short, Full) Cramer-Shoup Encryption Scheme 

We next show our variant of Gramer-Shoup scheme. 

(Key generation) Ghoose two generator gi and 32 at random. Also Ghoose 
xiX2,yi,y2, z G Zg randomly. Let gi = 92 = Also let 

c= 5 ^ 52 ^ d=grgr, h = ri- 

The public key is {g\,g2,c,d,h, H) and the secret key is {x\X2,yi,y2, z), where 
iL is a randomly chosen universal one-way hash function. 

(Encryption) Given a message m G G, first choose r such that G Rn-c 

randomly. Next compute 

Ml = g{, U2 = ^2)6= h^rn, a = H{u\, U2, e), v = {cd°'Y . 

The ciphertext is (Mi,M2,e,u). 

(Decryption) Given a ciphertext {ui,U2,e,v), first compute a = H{ui,U2,e) 
and test if = v- If this condition does not hold, the decryption 

algorithm outputs “reject”. Otherwise, it outputs m = e/uf. 

The encryption algorithm is very efficient because small r is used. Gramer- 
Shoup scheme is IND-GGA under the DDH assumption [ 2 ]. The proposed scheme 
is secure under the following assumption. 

Theorem 10. The above scheme is still IND-CCA under the DDH assumption 
and the DLSE assumption. 

The proof is almost the same as the proof of [ 2 ]. We use Gorollary 1 . The 
details will be given in the final paper. 

7.4 (Short, Short) Versions 

We can construct (Short, Short) versions of ElGamal scheme and Gramer-Shoup 
scheme, and prove their security. The details will be given in the final paper. 
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Appendix 

A Proof of Theorem 1 

Before giving a proof of Theorem 1, we show some technical lemmas. Remember 
that c = u;(logn). 

Lemma 1. We consider an index i which can be computed in probabilistic 
polynomial time. Suppose that there exists an efficient algorithm D that on 
input ) Gfi Ai, outputs the Ish of u with probability 1/2 -|- e, where e is 

non-negligible. Then for any fixed g G G, there exists an efficient algorithm that 
on input , outputs the Isb of u with probability 1/2-1- e, where m || 0 * Gr Ri. 

Lemma 1 is easily obtained from the random self-reducibility such that com- 
puting 2 from (g,g^) is equivalent to computing z from ((/’’, Next let g be 
a generator of Gg. 
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Lemma 2. We consider an index i such that i < n — c which can be computed 
in probabilistic polynomial time. Suppose that there exists an efficient algorithm 
D that on input g and , outputs the Isb of u with probability 1/2 + e, where 
■u||0* Gr Ri and e is non-negligible. 

Then there exists an efficient algorithm D' that on input y = and 

msh log t{v) , outputs the Ish of v with probability at least 1/2 + e— (2/t). 



Proof. Let D be an efficient algorithm as stated above. We construct an efficient 
algorithm D' that, given g and and rnsb\ogt{v), outputs the Isb of v with 

probability at least 1/2 + e — (2/t). Let 7 = ms&iogt(w). That is, v = 7 ||f' for 
some v' . We will find the Isb of v' by using D (because lsbi{v) = lsbi{v')). 

(1) First, D' zeros the logt most significant bits of v by computing 

yi = yg-^-^ “ . 

(2) Next D' computes 

2/2 = Vi, where e = 1 / 2 "“'^“* mod q. 

Note that the exponent of yi is shifted to the right n — c — i bits. Therefore, j /2 
is written as 2/2 = 2 /^ in such a way that 

s = 0 "-^-*+'°s*||z;'|| 0 L 

(3) D' chooses r G Ri randomly and computes 

y' = y 2 -g^ = g^^r 

(Note that r = 2V' for some r' since r G Ri.) 

(4) D' invokes D with input {g,y'). 

(5) Suppose that D outputs a bit a. (If D outputs neither 0 nor 1, D' chooses 
a bit a randomly.) Then D' outputs /? = a 0 lsb\{r'). 

Let u = s 0 r. Then u is uniformly distributed over {s' : s < s' < s 0 
fmax and 2* I s'}, where rmax is the maximum element of Ri. Since 2* | u, we let 
u' = u/2L Then 



If u < q and a = lsb\{u'), then 

a = lsbi{u') = lsbi{v) 0 lsbi{r'). 



Hence 



Therefore, 



lsbi{v) = a 0 lsbi{r') = (3{= the output of D'). 



Pr(H' suceeds) > Pr(u < q and a = lsbi{u')) 

= Pr(u < q and D{g,g^) = lsbi{u')) 

For a fixed random tape C of D, let 

GOOD{C) = {x\xGRi, D{g,g^) = 2s6i(x/2')| 
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(It is clear that 2* | a; for cc S i?i.) Then 

Pr(U' suceeds) > Pr(u < q and D{g,g^) = lsbi{u)) 

= Ec[Pt^(u < q and u G GOOD{C))] 

where Eq denotes the expected value over C. 

It is easy to see that '"u < q and u G GOOD{C))'" is equivalent to tt G 
GOOD{G). Therefore, 

Pr(_D' suceeds) > Ec[Pr{u G GOOD{G))] 

Further, since u is uniformly distributed over {s' : s < s' < s + Vmax and 2*|s'}, 
we obtain 



Ec[Pr{u G GOOD(G))] > Ec[ Pr {y e GOOD{G)) - Pr (y < s)] 

v&R yeR 

> Ec[Pr {y G GOOD{G))] - Ec[Pr {y < s)] 

v&R y&R 

> Pr {y G GOOD{G)) — Pr (y < s) 

i/efl y^R 

> l/2 + e-2/t. 

Consequently, 

Pr(H' suceeds) > 1/2 + e — 2/t. 



□ 



Lemma 3. In Lemma 2, let t = 4je. Then there exists an ejficient algorithm 
that on input g,y = and msb\ogt{v), outputs v with overwhelming prob- 

ability. 



Proof. In Lemma 2, D' outputs lsbi{v) with probability at least l/2+e/2 because 
t = 4/e. Here e/2 is non-negligible from the assumption of Lemma 2. Then by 
running D' polynomially many times (i.e., 2/e^ times) independently and taking 
the majority vote, we can obtain bi = lsbi{v) with overwhelming (i.e., 
probability. 

Next let 

yi = (y(g2-)-N)l/2^^0||F||0-^ 



where v = u'||6i. Applying the same process, we can find Isbiiy') similarly. By 
repeating this algorithm, we can find v with overwhelming probability. □ 



Now, we are ready to prove Theorem 1. 



Proof. Suppose that Aq and A„_c are distinguishable. Then we will show that 
we can solve the DLSE problem. Assume that there exists a distinguisher D 
between Aq and A„_c, namely, 

1 

p{n) 



I Pr[D{Ao) = 1] - Pr[D{Ar,-c) = 1]| > 
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for infinitely many n for some polynomial p(-). (^o and An-c in the above 
equation denote the uniform distribution over the set Aq and An-c, respectively.) 
Then, for some j such that 0<j<n — c— 1, 

\Vr[D{A,) = l]-Pr[D{A,+,) = 1]| > (1) 

np(n) 

We first show that we can find such an index j in polynomial time. 

Let Pi = Pv[D{Ai) = 1] for 0 < z < n — c — 1. We estimate each pi by the 
sampling method of m experiments. Let pi denote the estimated value. By using 
the Chernoff bound, we can show that 

Pr[|p, -pil > l/8np(n)] < 2e-2'"/64("p("))^ 

In other words, we can estimate all pi with accuracy ±l/8np(n) with high prob- 
ability by using m = 2048rz^(p(n))^ random samples. This means that we have, 
for the j of eq.(l), 

\pj+i — Pj\ > l/np{n) — 2/8np(n) = 3/4np(n). 

Therefore, there exists at least one j which satisfies the above equation. 

Our algorithm first finds an index i such that 

IPj +1 -Pi\> 3/4np(n), 

by using pi. For this i, we see that 

|pi+i -p*| > l/2np(n) (2) 

by using the same argument as above. 

We next show that D can be used as a prediction algorithm of Lemma 1. 
Wlog, we assume that pi—pi+i > l/2np{n) from eq.(2). Then we can show that 

i Pv{D{A+,) = 0) + i Pv{D{A, \ A,+i) = 1) > i + 2^^. 

This means that 

Thus D can be used as a prediction algorithm of Lemma 1 with e = l/2np(n). 

We finally show that we can solve the DLSE problem by using Lemma 3. Sup- 
pose that we are given {g, y) such that y = . In order to apply Lemma 3, 

we first let t = 4/e = 8np{n). We next guess the value of msbiogt{v)- For each 
guessed value 7, we apply Lemma 3 and obtain v. We then check if y = 

If so, we have found that v = v. Otherwise, we try another guessed value. The 
number of possible values of msb\ogt{v) is 

2iogt — i — gfip(^nY 

Therefore, the exhaustive search on msb\ogt{v) runs in polynomial time. Conse- 
quently, we can find v in polynomial time with overwhelming probability. □ 
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Abstract. This paper proposes a new public key authenticated encryp- 
tion (signcryption) scheme based on the Diffie-Hellman problem in Gap 
Diffie-Hellman groups. This scheme is built on the scheme proposed by 
Boneh, Lynn and Shacham in 2001 to produce short signatures. The idea 
is to introduce some randomness into this signature to increase its level 
of security in the random oracle model and to re-use that randomness 
to perform encryption. This results in a signcryption protocol that is 
more efficient than any combination of that signature with an El Gamal 
like encryption scheme. The new scheme is also shown to satisfy really 
strong security notions and its strong unforgeability is tightly related to 
the Diffie-Hellman assumption in Gap Diffie-Hellman groups. 

Keywords: signcryption, Gap Diffie-Hellman groups, provable security 



1 Introduction 

The concept of public key signcryption schemes was proposed by Zheng in 1997 
([29]). The purpose of this kind of primitive is to perform encryption and signa- 
ture in a single logical step in order to obtain confidentiality, integrity, authenti- 
cation and non-repudiation more efficiently than the sign-then-encrypt approach. 
The drawback of this latter solution is to expand the final ciphertext size (this 
could be impractical for low bandwidth networks) and increase the sender and 
receiver’s computing time. Several efficient signcryption schemes have been pro- 
posed since 1997. The original scheme proposed in [29] was based on the discrete 
logarithm problem but no security proof was given. Zheng’s original construc- 
tion was only proven secure in 2002 ([3]) by Baek et al. who described a formal 
security model in a multi-user setting. In 2000, Steinfeld and Zheng ([27]) pro- 
posed another scheme for which the unforgeability of ciphertexts relies on the 
intractability of the factoring problem but they provided no proof of chosen ci- 
phertext security. 

The drawback of the previously cited solutions is that they do not offer easy 
non-repudiation of ciphertexts: a recipient cannot prove to a third party that 
some plaintext was actually signcrypted by the sender. Bao and Deng ([5]) pro- 
posed a method to add universal verifiability to Zheng’s cryptosystem but their 

* This author was supported by the DGTRE’s First Europe Project. 
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scheme was shown ([26]) to leak some information about the plaintext as other 
schemes like [28]. The latter schemes can easily be modified to fix their prob- 
lem but no strong guarantee of unforgeability can be obtained for them since 
the unforgeability of ciphertexts relies on the forking lemma ([24], [25]) which 
does not provide tight security reductions (see [16] for details). In the discrete 
logarithm setting, another scheme was shown in [26] to be chosen ciphertext 
secure under the Gap Diffie-Hellman assumption but it was built on a modified 
version of the DSA signature scheme which is not provably secure currently. 
As a consequence, no proof of unforgeability could be found for that scheme. 
An RSA-based scheme was described by Malone-Lee and Mao ([20]) who pro- 
vided proofs for both unforgeability under chosen-message attacks and chosen 
ciphertext security. Unfortunately, they only considered a security in a single- 
user setting rather than the more realistic multi-user setting. Furthermore, the 
security of that scheme is only loosely related to the RSA assumption. However, 
none of these schemes is provably secure against insider attacks: in some of them, 
an attacker learning some user’s private key can recover all messages previously 
signcrypted by that user. 

In 2002, An et al. ([I]) presented an approach consisting in performing signa- 
ture and encryption in parallel: a plaintext is first transformed into a pair (c, d) 
made of a commitment c and a de-commitment d in such a way that c reveals no 
information about m while the pair (c, d) allows recovering m. Once he completed 
the transformation, the signer can jointly encrypt c and sign d in parallel using 
appropriate encryption and signature schemes. The de-signcryption operation is 
then achieved by the recipient in a parallel fashion: the signature on d is verified 
while c is decrypted and the pair (c, d) is then used to recover the plaintext. This 
method decreases the computation time to signcrypt a message to the maximum 
of the times required by the underlying encryption and signature processes but 
the commitment step unfortunately involves some computation overhead. To 
improve this parallel approach, Pieprzyk and Pointcheval ([22]) proposed to use 
a (2, 2)-Shamir secret sharing as an efficient commitment scheme: a plaintext is 
first splitted into two shares si, S 2 which do not individually reveal any infor- 
mation on TO. Si is used as a commitment and encrypted while S 2 is signed as a 
de-commitment. The authors of [22] also gave a construction allowing them to 
integrate any one-way encryption system (such as the basic RSA) with a weakly 
secure signature (non-universally forgeable signatures in fact) into a chosen ci- 
phertext secure and existentially unforgeable signcryption scheme. 

Dodis et al. ([11]) recently proposed another technique to perform paral- 
lel signcryption. Their method consists in a Feistel probabilistic two-paddings 
(called PSEP for short) which can be viewed as a generalization of other exist- 
ing probabilistic paddings (OAEP, OAEP-I-, PSS-R,etc.) and involve a particular 
kind of commitment schemes. The authors of [11] showed that their construc- 
tion also allows optimal exact security, flexible key management, compatibility 
with PKCS standards and has other interesting properties. They also claim that 
their scheme outperforms all existing signcryption solutions. We do not agree 
with that point since their method, like all other parallel signcryption proposi- 
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tions, has a significant drawback: the recipient of a message is required to know 
from whom a ciphertext emanates before beginning to verify the signature in 
parallel with the decryption operation. A trivial solution to this problem would 
be to append a tag containing the sender’s identity to the ciphertext but this 
would prevent the scheme from satisfying the notion of ciphertext anonymity 
formalized by Boyen in [10] (intuitively, this notion expresses the inability for 
someone observing a ciphertext to determine who the sender is nor to whom it is 
intended) that can be a desirable feature in many applications (see [10] for exam- 
ples). Furthermore, by the same arguments as those in [6], one can easily notice 
that the probabilistic padding described in [11] does not allow the key privacy 
property to be achieved when instantiated with trapdoor permutations such as 
RSA, Rabin or Paillier: in these cases, given a ciphertext and a set of public 
keys, it is possible to determine under which key the message was encrypted. An 
anonymous trapdoor permutation or a repeated variant of the padding PSEP 
(as the solutions proposed in [6]) could be used to solve this problem but this 
would decrease the scheme’s efficiency. 

In this paper, we propose a new discrete logarithm based signcryption scheme 
which satisfies strong security notions: chosen ciphertext security against insider 
attacks (except the hybrid composition proposed in [17] and the identity based 
scheme described in [10], no discrete logarithm based authenticated encryption 
method was formally proven secure in such a model before), strong unforgeabil- 
ity against chosen-message attacks, ciphertext anonymity in the sense of [10] 
(this is an extension of the notion of key privacy proposed in [6] to the signcryp- 
tion case). We also prove that it satisfies a new security notion that is related 
to the one of ciphertext anonymity and that we call ’key invisibility’. We show 
that the scheme’s strong unforgeability is really tightly related to the hardness 
of the Diffie-Hellman problem unlike the scheme proposed in [10] whose proof 
of unforgeability relies on Pointcheval and Stern’s forking lemma and thus only 
provides a loose reduction to a computational problem. In fact, except the hy- 
brid construction of [17] (whose semantic security is based on the stronger hash 
oracle Diffie-Hellman assumption) our scheme appears to be the first discrete 
logarithm based signcryption protocol whose (strong) unforgeabililty is proven 
to be tightly related to the Diffie-Hellman problem. About the semantic security 
of the scheme, we give heuristic arguments showing that it is more tightly re- 
lated to the Diffie-Hellman problem than expressed by the bounds at first sight. 
Unlike [1],[11] and [22], our protocol is sequential but it is efficient and does 
not require the recipient of a message to know who is the sender before starting 
the de-signcryption process. Our scheme borrows a construction due to Boyen 
([10]) and makes extensive use of the properties of some bilinear maps over the 
so-called Gap Diffie-Hellman groups (in fact, the structure of these groups is also 
exploited in our security proofs). Before describing our scheme, we first recall 
the properties of these maps in section 2. The section 3 formally describes the 
security notions that our scheme, depicted in section 4, is shown to satisfy in the 
security analysis presented in section 5. 
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2 Preliminaries 

2.1 Overview of Pairings 

Let fc be a security parameter and g be a /c— bit prime number. Let us consider 
groups Gi and G 2 of the same prime order q. For our purposes, we need a bilinear 
map e : Gi X Gi ^ G 2 satisfying the following properties: 

1. Bilinearity: V P, Q G Gi, V a, 5 G Z*, we have e{aP, bQ) = e{P, Q)®**. 

2. Non-degeneracy: for any P G Gi, e(P, Q) = I for all Q G Gi iff P = O. 

3. Computability: an efficient algorithm allows computing e(P, Q) V P, Q G Gi. 

The modified Weil pairing ( [8] ) and the Tate pairing are admissible maps of this 
kind. The group Gi is a suitable cyclic elliptic curve subgroup while G 2 is a 
cyclic subgroup of the multiplicative group associated to a finite field. We now 
recall some problems that provided underlying assumptions for many previously 
proposed pairing based cryptosystems. These problems are formalized according 
to the elliptic curve additive notation. 

Definition 1. Given groups Gi and G 2 of prime order q, a bilinear map e : 
Gi X Gi ^ G 2 and a generator P o/Gi, 

- The Computational Diffie-Hellman problem (CDH) in Gi is, given 
(P, aP, bP) for unknown a, 5 G Z^, to compute abP G Gi . 

- The Decisional Diffie-Hellman problem (DDE) is, given (P, aP, bP, cP) 
for unknown a,b,c G Z^, to decide whether ab = c (mod q) or not. Tuples 
of the form (P, aP, bP, cP) for which the latter condition holds are called 
’’Diffie-Hellman tuples”. 

- The Gap Diffie-Hellman problem (GDH) is to solve a given instance 
(P, aP, bP) of the GDH problem with the help of a DDH oracle that is able 
to decide whether a tuple {P, a' P, b' P, c' P) is such that c' = a'b' (mod q). 

As shown in [18], a pairing can implement a DDH oracle. Indeed, in a group 
Gi for which pairings are efficiently computable, to determine whether a tu- 
ple (P, aP, bP, cP) is a valid Diffie-Hellman tuple or not, it suffices to check if 
e(P, cP) = e(aP, bP). This kind of group, where the DDH problem is easy while 
the CDH one is still believed to be hard, is called Gap Diffie-Hellman groups in 
the literature ([18], [21]). 

3 Security Notions for Signcryption Schemes 

We first recall the two usual security notions: the security against chosen cipher- 
text attacks which is also called semantic security and the unforgeability against 
chosen-message attacks. We then consider other security notions that were pro- 
posed by Boyen ([10]) in 2003. In the notion of chosen ciphertext security, we 
consider a multi-user security model as already done in [1], [3], [11], [22] and [10] to 
allow the adversary to query the de-signcryption oracle on ciphertexts created 
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with other private keys than the attacked one. We also consider the security 
against insider attacks by allowing the attacker to choose to be challenged on 
a signcrypted text created by a corrupted user (i.e. a user whose private key 
is known to the attacker). Indeed, for confidentiality purposes, we require the 
owner of a private key to be unable to find any information on a ciphertext 
created with that particular key without knowing which randomness was used 
to produce that ciphertext. As already considered in [1],[10],[11] and [22], this 
also allows us showing that an attacker stealing a private key does not threaten 
the confidentiality of messages previously signcrypted using that private key. 

Definition 2. We say that a signcryption scheme is semantically secure against 
chosen ciphertext attacks (we call this security notion SC-IND-CCA) if no prob- 
abilistic polynomial time (PPT) adversary has a non-negligible advantage in the 
following game: 

1. The challenger runs the key generation algorithm Keygen to generate a pri- 
vate/public key pair {skjjjpkjj)- sku is kept secret while pkjj is given to the 
adversary A. 

2. A performs a first series of queries in a first stage. These queries can be of 
the following kinds: 

- Signcryption queries: A produces a message m € Ai and an arbitrary 
public key pkn (that public key may differ from pku) and requires the 
result Signcrypt(m, skjj ,pkii) of the signcryption oracle. 

- De- signcryption queries: A produces a ciphertext a and requires the result 
of the operation De-signcryt(a, sku)- This result is made of a signed 
plaintext and a sender’s public key if the obtained signed-plaintext is valid 
for the recovered sender’s public key. Otherwise (that is if the obtained 
plaintext- signature pair is not valid for the obtained public key when per- 
forming the de- signcryption operation with the private key sku ), the _L 
symbol is returned as a result. 

These queries can be asked adaptively: each query may depend on the answers 
to previous ones. 

3. A produces two plaintexts mo, mi € A4 of equal size and an arbitrary private 
key sks. The challenger then flips a coin b {0, 1} to compute a signcryp- 
tion a = Signcrypt{mb, sksjpku) of mb with the sender’s private key sks 
under the attacked receiver’s public key pku. <J is sent to A as a challenge. 

4-. The adversary performs new queries as in the first stage. Now, it may not 
ask the de- signcryption of the challenge a with the private key sku of the 
attacked receiver. 

5. At the end of the game, A outputs a bit b' and wins if b' = b. 

A’s advantage is defined to be Adv'^'^^~^^°‘{A) := 2Pr\b' = 6] — 1. 

In the notion of unforgeability captured by the formal definition below, as in 
many other previous works ([1], [3], [10], [11], [17], [22], etc.), we allow a forger at- 
tempting to forge a ciphertext on behalf of the attacked user U to know the 
receiver’s private key. In fact, the attacker has to come with the intended re- 
ceiver’s private key skn as a part of the forgery. The motivation is to prove that 
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no attacker can forge a ciphertext intended to any receiver on behalf of a given 
sender. In particular, no dishonest user can produce a ciphertext intended to 
himself and try to convince a third party that it emanates from a honest user. 

Definition 3. We say that a signcryption scheme is strongly existentially un- 
forgeable against chosen-message attacks (SC-SUF-CMA) if no PPT adversary 
has a non-negligihle advantage in the following game: 

1. The challenger generates a key pair {sku,pku) and pkjj is given to the forger 
T. 

2. The forger T queries the oracles Signcrypt^f, and De-signcrypt^f. (.) 

exactly as in the previous definition. Again, these queries can also he produced 
adaptively. 

3. At the end of the game, T produces a ciphertext a and a key pair {skR,pkR) 
and wins the game if the result of the operation De-signcrypt{a, skR) is a tu- 
ple {m, s,pku) such that (m, s) is a valid signature for the public keypku such 
that a was not the output of a signcryption query Signcryptfm, skjj ,pkR) 
made during the game. 

Recall that, in the corresponding notion of conventional (i.e. non-strong) unforge- 
ability for signcryption schemes, the attacker cannot win if the outputted cipher- 
text was the result of any signcryption query. In our context, as in [I], [17], [II], 
and many other works, the forger is allowed to have obtained the forged cipher- 
text as the result of a signcryption query for a different receiver’s public key than 
the one corresponding to the claimed forgery. The only constraint is that, for the 
message m obtained by de-signcryption of the alleged forgery with the chosen 
private key skn, the outputted ciphertext a was not obtained as the result of a 
Signcrypt(m, s/c( 7 ,pA:fi) query. 

In [10], Boyen also proposed additional security notions for signcryption 
schemes. One of the most important ones was the notion of ciphertext anonymity 
that can be viewed as an extension to authenticated encryption schemes of the 
notion of key privacy already considered by Bellare et al in [6] . Intuitively, in the 
context of public key encryption, a scheme is said to have the key privacy prop- 
erty if ciphertexts convey no information about the public key that was used to 
create them. In the signcryption setting, we say that the ciphertext anonymity 
(or key privacy) property is satisfied if ciphertexts contain no information about 
who created them nor about to whom they are intended. This notion is a trans- 
position into the non-identity based setting of the one presented in [10]. It can 
be described like that. 

Definition 4. A signcryption scheme is said to satisfy the ciphertext anonymity 
property (also called key privacy or key indistinguishability: we call this notion 
SC-INDK-CCA for short) if no PPT distinguisher has a non-negligihle advantage 
in the following game: 

1. The challenger generates two key pairs {skRfi,pknfi) and (skR^i,pkR^i). 
pknp and pkR^i are given to the distinguisher V. 
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2. V adaptively performs queries Signcrypt{m, skR^cpkn), for arbitrary recip- 
ient keys pkn, and De-signcrypt{a, skn^c) for c = 0 or c = 1. 

3. Once stage 2 is over, V outputs two private keys sksp and sks,i and a 
plaintext m € A4. The challenger then flips two coins b,b' {0,1} and 
computes a challenge ciphertext a = Signcrypt{m, sks,b,pkR^b') which is 
sent to T>. 

4- T> adaptively performs new queries as in stage 2 with the restriction that, 
this time, it is disallowed to ask the de- signcryption of the challenge a with 
the private keys skR^ or skR^\. 

5. At the end of the game, V outputs bits d,d' and wins if {d,d') = {b,b'). Its 
advantage is defined to be Adv^”''’'^~‘^^‘'{D) := Pr[{d,d') = (b,b')] — 1/4. 

Again, this notion captures the security against insider attacks since the distin- 
guisher is allowed to choose a set of two private keys among which the one used 
as sender’s key to create the challenge ciphertext is picked by the challenger. 
The above definition can be viewed as a transposition to the non-identity based 
setting of the definition of ciphertext anonymity proposed by Boyen ([10]) as 
well as an extension of the definition of key privacy ([6]) to the authenticated 
encryption context. We introduce another notion called ’key invisibility’ which 
is close to the concept (formalized by Galbraith and Mao in [14]) of invisibility 
for undeniable signatures. Intuitively, this notion expresses the impossibility to 
decide whether a given ciphertext was actually created using a given particular 
sender’s private key and a given particular receiver’s public key. 

Definition 5. We say that a signcryption scheme satisfies the key invisibility 
(we denote this notion by SC-INVK-CCA for short) if no PPT distinguisher has 
a non-negligible advantage in the following game: 

1. The challenger generates a private/public key pair {sku,pku). pkjj is given 
to the distinguisher V. 

2. V adaptively performs queries Signcrypt{m,sku,pkR), for arbitrary recip- 
ient keys pkR, and De-signcrypt{a,sku). 

3. Once stage 2 is over, V outputs a private key sks and a plaintext m G M. 
The challenger then flips a coins b ^r (0, 1}. 7/6 = 0, then the challenger 
returns an actual challenge ciphertext a = Signcrypt{m, sks,pku) to V. 
If b = 1, then the challenger returns a random a uniformly taken from the 
ciphertext space C. 

4- P adaptively performs new queries as in stage 2 with the restriction that, 
this time, it cannot require the de- signcryption of the challenge a with the 
private keys skjj- 

5. At the end of the game, V outputs bits d and wins if d = b. Its advantage is 
defined as Adv™'^^~^‘^°‘{D) := 2Pr[d = 6] — 1. 

Again, we allow the distinguisher to choose which private key is used as a part 
of the challenge to take insider attacks into account. 

Galbraith and Mao ([14]) showed that anonymity and invisibility are essen- 
tially equivalent security notions for undeniable signatures. While one can prove 
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in the same way that key privacy and key invisibility are also essentially equiva- 
lent for some particular encryption schemes, such an equivalence turns out to be 
unclear in the signcryption case. In fact, one cannot prove that a distinguisher 
against the key invisibility implies a distinguisher against the key privacy with 
the same advantage (because two random coins are used by the challenger in the 
definition of key privacy and a single one for key anonymity). However, we can 
prove that, for signcryption schemes satisfying some particular properties (that 
is, for a given message and a given sender’s private key, the output of the sign- 
cryption algorithm must be uniformly distributed in the ciphertext space when 
the receiver’s public key is random), we can prove that key invisibility implies 
key privacy. This will be showed in [19]. In the next section we propose a scheme 
that satisfies both of them (in addition to the usual notions of semantic security 
and unforgeability) in the random oracle model. 



4 A DifRe-Hellman Based Signcryption Scheme with Key 
Privacy 

This section presents a signcryption scheme whose unforgeability under chosen- 
message attacks is tightly related to the hardness of the computational Diffie- 
Hellman problem in Gap Diffie-Hellman groups. Our solution relies on the BLS 
signature ([9]) whose security is enhanced by a random quantity U which is used 
for encryption purposes but also acts as a random salt to provide a tighter secu- 
rity reduction to the Diffie-Hellman problem in Gi in the proof of unforgeability. 

We assume that both the sender and the receiver agreed on public param- 
eters: security parameters k and £, cyclic groups Gi and G 2 of prime order 
q > 2^ such that £ is the number of bits required to represent elements of Gi, 
a generator P of Gi and a bilinear map e : Gi x Gi ^ G 2 . They also agree 
on cryptographic hash functions Hi : {0, l}"+2^ ^ Gi, H 2 : G;^^ ^ {0, 1}^ and 
: {0, 1}^ ^ {0, 1}”+^ where n denotes the size of plaintexts (i.e. the message 
space is A4 = {0,1}"). The scheme consists of the following three algorithms 
(we recall that the symbol 0 denotes the bitwise exclusive OR). 

Keygen: user u picks a random and sets his public key to = 

XuP G Gi. His private key is We will denote the sender and the receiver 
respectively by m = S' and u = R and their key pair by {xs, Ys) and {xr, Yr). 
Signcrypt: to signcrypt a plaintext m G {0,1}” intended to R, the sender S 
uses the following procedure 

1. Pick a random r ^r Zg and compute U = rP G Gi. 

2. Compute V = xsHi{m, U, Yr) G Gi. 

3. Compute W = V (B H 2 {U,YR,rYR) G {0,1}^ and then scramble the 
plaintext together with the sender’s public key: Z = (to||1s) 0 Hz{V) G 
{ 0 , 1 }"+^ 

The ciphertext is given by <t = {U, W, Z) G Gi x {0, 1}”+^^. 
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De-signcrypt: when receiving a ciphertext cr = {U, W, Z), the receiver R has 
to perform the steps below: 

1. Compute V = W (B H2{U, Yr, xrU) G {0, 1}^. 

2. Compute (m||F 5 ) = Z(BHs{V) € {0, 1}"+^. Reject a if F 5 is not a point 
on the curve on which Gi is defined. 

3. Compute H = U, Yr) G Gi and then check if e(Ys, H) = e(P, V). 

If this condition does not hold, reject the ciphertext. 

The consistency of the scheme is easy to verifiy. To prove to a third party that the 
sender S actually signed a plaintext m, the receiver just has to forward it m and 
{U,V,Yr). The third party can then compute H as in the step 3 of de-signcrypt 
and perform the signature verification as in the same step 3. We note that, in 
the signcryption algorithm, the recipient’s public key must be hashed together 
with the pair (m, U) in order to achieve the provable strong unforgeability. 

As pointed out in [15], in some applications, it is interesting for the origin of 
a signcrypted text to be publicly verifiable (by firewalls for example). In some 
other applications, it is undesirable: indeed as explained in [ 10 ], in some cases, it 
is better for a signcrypted text not to convey any information about its sender 
nor about its intended receiver. This property, called anonymity of ciphertexts, 
is provided by the above scheme as shown in the next section. 

From an efficiency point of view, we can easily verifiy that the above scheme 
is at least as efficient and more compact than any sequential composition of the 
BLS signature ([9]) with any other Diffie-Hellman based chosen ciphertext secure 
encryption scheme ([2], [4], [12], [13], [23], etc.): indeed only three scalar multiplica- 
tions in Gi are required for the signcryption operation while 1 multiplication and 
2 pairings must be performed in the de-signcryption process. A sequential com- 
bination of the BLS signature with the encryption scheme proposed in [2] would 
involve an additional multiplication at decryption. If we take £ Ki k > 160 (by 
working with an appropriate elliptic curve), we see that ciphertexts are about 
480 bits longer than plaintexts. Any combination of the BLS signature with a 
CCA-secure El Gamal type cryptosystem would result in longer final ciphertexts. 
With the same choice of parameters, a composition of the BLS signature with 
the lenth-saving El Gamal encryption scheme ([2]) would result in ciphertexts 
that would be 640 bits longer than plaintexts. 

5 Security Analysis 

In this section, we first show that an adversary against the SG-IND-GGA security 
of the scheme implies a PPT algorithm that can solve the Diffie-Hellman problem 
in Gi with high probability. This fact is formalized by the following theorem. 

Theorem 1. In the random oracle model, if an adversary A has a non-negligible 
advantage e against the SC-IND-CCA security of the above scheme when run- 
ning in a time t and performing qsc signcryption queries, qosc de-signcryption 
queries and qu queries to oracles Hi (for i = 1,...,4J, then there exists an 
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algorithm B that can solve the CDH problem in the group Gi with a probability 
e' > e — qH^qosc in a time t' <t + {^qosc + ‘^qH2)te where te denotes the 
time required for one pairing evaluation. 

Proof. The algorithm B runs .4 as a subroutine to solve the CDH problem in 
a polynomial time. Let (aP, bP) be a random instance of the CDH problem in 
Gi. B simulates ^’s challenger in the game of definition 2 and starts it with 
Yu = bP G Gi as a challenge public key. A then adaptively performs queries as 
explained in the definition. To handle these queries, B maintains lists Li to keep 
track of the answers given to oracle queries on Hi for z = 1, 2, 3. Hash queries on 
H2 and are treated in the usual way: B first checks in the corresponding list 
if the oracle’s value was already defined at the queried point. If it was, B returns 
the defined value. Otherwise, it returns a random element from the appropriate 
range and updates the corresponding list. When a hash query C/, Tr) 

is performed, B first looks if the value of Hi was previously defined for the 
input (to, U, Yr). If it was, the previously defined value is returned. Otherwise, 
B picks a random t <— r Z^, returns tP G Gi as an answer and inserts the tuple 
(to, U, Tr, t) into Li . 

Now, let us see how signcryption and de-signcryption queries are dealt with: 

- For a signcryption query on a plaintext to with a recipient’s public key 1r 
both chosen by the adversary A, B first picks a random r ^r Z^, computes 
U = rP G Gi and checks if Li contains a tuple (to, U, Yr, t) indicating that 
Hi{m, U,Yr) was previously defined to be tP. If no such tuple is found, B 
picks a random t ^r Zg and puts the entry {m,U,YR,t) into Li. B then 
computes V = tYu = t{bP) G Gi for the random t chosen or recovered from 
Li. The rest follows as in the normal signcryption process: B computes tYr 
(for the Yr specified by the adversary), runs the H2 simulation process to 
obtain ft-2 = .ff2(G, Yr, tYr), and then computes W = Y 0 /12 and Z = 
(to||Y„) 0 /13 where /13 is obtained by simulation of the H3 oracle on the 
input V . {U,W, Z) is then returned as a signcryption of to from the sender 
of public key Yu to the recipient of public key Yr. 

- For a de-signcryption query on a ciphertext {U, lY, Z) and a sender’s public 
key Ys both chosen by A, B proceeds as follows: it scans the list L2, looking 
for tuples ([/, Yu, Si, h2,i) (with 0 < z < qn^) such that Vi = h2,i®W exists in 
an entry (Vi, h^^i) of L3 and, for the corresponding elements h^^i, (mi, Ys^i) = 
hsy (B Z G {0,1}”+^ is such that there exists an entry (mi,U,Yu, hi^i) in 
the list Li. If no such tuples are found, the T symbol is returned to A. 
Otherwise, elements (mi,U,Vi, Si, hi^i) satisfying those conditions are kept 
for future examination. If one of them satisfies both e(P, Si) = e(C/, Y„) and 
e(Ys^i, hi^i) = e(P, Vi), then (toz, (U, V)) is returned as a message-signature 
pair together with the sender’s public key Y5 

At the end of the first stage, A outputs two plaintexts toq and toi together with 
an arbitrary sender’s private key x$ and requires a challenge ciphertext built 
under the recipient’s public key Y„. B ignores toq and toi and randomly picks 
two binary strings W ^r { 0, 1}^ and Z ^r { 0, 1}"+^. A challenge ciphertext 
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a = {U, W, Z) = {aP, W, Z) is then sent to A that then performs a second series 
of queries at a second stage. These queries are handled by B as those at the first 
stage. As done in many other papers in the literature, it is easy to show that A 
will not realize that a is not a valid signcryption for the sender’s private key xg 
and the public key Yu unless it asks for the hash value H2{aP, bP, abP). In that 
case, the solution of the Diffie-Hellman problem would be inserted in L2 exactly 
at that moment and it does not matter if the simulation of A’s view is no longer 
perfect. 

At the end of the game, A produces a result which is ignored by B. The latter 
just looks into the list L2 for tuples of the form {aP, bP, Di, .). For each of them, 
B checks whether e{P,Di) = e{aP, bP) and, if this relation holds, stops and 
outputs Di as a solution of the CDH problem. If no tuple of this kind satisfies 
the latter equality, B stops and outputs ’’failure”. 

Now to assess B's probability of success, let us denote by AskH2 the event 
that A asks the hash value of abP during the simulation. As done in several 
papers in the literature (see [8] or [10]), as long as the simulation of the attack’s 
environment is perfect, the probability for AskH2 to happen is the same as in a 
real attack (i.e. an attack where A interacts with real oracles). In a real attack 
we have 

Pr[6 = b'] < Pr[6 = 6^|^AskH2]Pr[^AskH2] + Pr[AskH2] = — + -Pr[AskH2] 

and then we have e = 2Pr[6 = 6'] — 1 < Pr[AskH2j. Now, the probability that 
the simulation is not perfect remains to be assessed. The only case where it can 
happen is when a valid ciphertext is rejected in a de-signcryption query. It is 
easy to see that for every pair (Vi, hs^i) in L3, there is exactly one pair (ft-iy, /i2,i) 
of elements in the range of oracles Hi and H2 providing a valid ciphertext. The 
probability to reject a valid ciphertext is thus not greater than <7/^3 /2^*. The 
bound on B's computation time derives from the fact that every de-signcryption 
query requires at most 4 pairing evaluations while the extraction of the solution 
from L2 implies to compute at most 2qH2 pairings. □ 

The above security proof makes use of the pairing’s bilinearity to handle de- 
signcryption queries and thus avoids the use of constructions such as [2] , [23] , [13] , 
[12] that would increase the ciphertext’s length or imply additional computation 
in the de-signcryption operation (this is one of the interests in working with 
Gap Diffie-Hellman groups). This results in a worst-case bound on algorithm 
B’s computation time that seems to be loose: to extract the solution of the CDH 
problem, B might have to compute up to 2qn2 pairings if A only queries oracle H2 
on tuples of the form (aP, bP, .). If we allow up to 2®° i?2-queries, this appears 
to be a loose bound at first sight. But we stress that, heuristically, if A asks 
many hash queries of tuples (aP, bP, .) that are not valid Diffie-Hellman tuples, 
that means it has no better strategy to find information about the challenge 
ciphertext than computing the XOR of the ciphertext’s IT-component with hash 
values of random tuples. Such a strategy would not be more efficient for A than 
an exhaustive search of the solution to the Diffie-Hellman instance embedded in 
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the challenge ciphertext. An attacker having a non-negligible advantage against 
the semantic security would ask much less than hash queries of invalid Diffie- 
Hellman tuple. We can thus expect that, at the end of the simulation, L 2 only 
contains a limited number of entries (aP, bP, .). 

We note that the bound on B’s probability of success is tight: if we allow 
Qdsc < and qhs < 2™, with k > 160, we obtain qn^qDSC < 2“^^° 
which is a negligible function of the parameter k. 

The following theorem claims the strong unforgeability of the scheme. 

Theorem 2. In the random oracle model, if there exists an adversary T that 
has a non-negligible advantage e against the SC-SUF-CMA security of the scheme 
when running in a time t, making qsc signcryption queries, qosc de-signcryption 
queries and at most qn queries on oracles Hi (for i = 1, . . . , 4J, then there exists 
an algorithm B that can solve the Diffie- Heilman problem in Gi with a proba- 
bility e' > e — qsclHi/i^^ — in a time F < t -\- ^qoscte where te 

denotes the time required for a pairing evaluation. 

Proof, given in the full paper ([19]). □ 

This time, we obtain bounds that are explicitly tight. With k > 160, if we 
allow qHs < 2™ and qn^ < 2®°, qosc < 2^° we have qsclHi/‘^^ < 1/2®° and 
we still have qDSCdH^ < 2“^®°. We thus have a negligible degradation of P’s 
probability of success when compared to the adversary’s advantage. The bound 
on P’s running time is also reasonably tight for qosc < 2®°. 

The theorem below claims the ciphertext anonymity property of the scheme. 

Theorem 3. In the random oracle model, assume there exists a PPT distin- 
guisher V that has a non-negligible advantage against the SC-INDK-CCA se- 
curity of the scheme when running in a time t, performing qsc signcryption 
queries, qosc de-signcryption queries and qn queries to oracle Hi (for i = 
1,...,4/. Then there exists an algorithm B that solves the CDH problem with 
an advantage e' > e — 1/2”+^“^ — qDSClH 3 /‘ 2 :^^ when running in a time t' < 
t-\-{AqDsc+‘^<lH 2 )te where te denotes the time required for one pairing evaluation. 

Proof, given in the full paper ([19]). □ 

Again, the bound on P’s computation time might seem to be meaningless but, 
as for the proof of theorem 1, we can argue that a distinguisher performing many 
i ?2 queries on invalid Diffie-Hellman tuples would have no better strategy than 
an exhaustive search for Diffie-Hellman instances embedded in the challenge- 
ciphertext. However, if we look at the proofs of semantic security and ciphertext 
anonymity for the scheme described in [10], although no bound is explicitly given 
for the running time of solvers for the bilinear Diffie-Hellman problems, these 
bounds are not tighter than ours. Furthermore, the proof of ciphertext anonymity 
provided in [10] leads to a significant degradation of the solver’s advantage when 
compared to the distinguisher’s one. 

We close this section with the following theorem related to the key invisibility. 
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Theorem 4. In the random oracle model, if there exists a distinguisher V having 
a non-negligihle advantage e against the SC-INVK-CCA security of the scheme 
when running in a time t and performing qn queries to oracles Hi, for i = 
qsc signcryption queries and qosc de- signcryption queries, then there 
exists an algorithm B that solves the CDH problem with an advantage e' > 
e— 1/2”+^“^ — qDSC<lH 3 /‘l^'^^ in a time t' <t + {4:qDSC + ‘^dH 2 )te where te is the 
time required for a pairing evaluation. 

Proof, given in the full paper ([19]). □ 

6 Conclusions 

We proposed a new Diffie-Hellman based signcryption scheme satisfying strong 
security requirements. It turns out to be the discrete log based signcryption 
protocol whose unforgeability is the most tightly related to the Diffie-Hellman 
problem (except the construction in [17], all provably secure solutions are built 
on signatures having a security proof relying on the forking lemma ([24], [25]) and 
the CCA-security of [17] relies on stronger assumptions than the present scheme). 
By heuristic arguments, we argued that the reduction from an adaptive chosen 
ciphertext adversary to a solver for the Diffie-Hellman problem is also efficient. 
We also introduced a security notion called ’key invisibility’ that can be shown 
to imply ’key privacy’ in some cases (see [19] for details). 
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Abstract. The problem MQ of solving a system of mnltivariate qnadratic 
equations over a finite held is relevant to the security of AES and for 
several public key cryptosystems. For example Sflash, the fastest known 
signatnre scheme (cf. [1]), Is based on MQ eqnations over GF{2^), and 
Patarin’s 500 $ HFE Challenge 2 is over GF(2'^). Similarly, the fastest 
alleged algebraic attack on AES due to Courtois, Pieprzyk, Murphy and 
Robshaw uses a MQ system over GE(2®). 

At present very little is known about practical solvability of such systems 
of equations over GF{2^). The XL algorithm for Eurocrypt 2000 was 
initially studied over GF{p), and only recently in two papers presented 
at CT-RSA’02 and ICISC’02 the behavionr of XL is studied for systems 
of equations over GF{2). In this paper we show (as expected) that XL 
over GF{2^), k > 1 (never studied so far) does not always work very 
well. The reason is the existence of additional roots to the system in 
the extension held, which is closely related to the remark made by Moh, 
claiming that the XSL attack on AES cannot work. However, we explain 
that, the specihc set of equations proposed by Murphy and Robshaw 
already contains a structure that removes the problem. From this, we 
deduce a method to modify XL so that it works much better over GF{2^). 
In addition we show how to break the signature scheme Shash-v2 recently 
selected by the European consortium Nessie, by three different methods 
derived from XL. Our fastest attack is in 2®®. All the three attacks apply 
also to HFE Challenge 2, and our best attack is in 2®®. 



Key Words: Multivariate quadratic equations, MQ problem, overdefined sys- 
tems of multivariate equations, XL algorithm, Grobner bases, algebraic attacks 
on AES, XSL, Murphy-Robshaw equations on AES. 



1 Introduction 

In the perpetual search for hard problems on which to base cryptographic se- 
curity, there is a growing interest in so called “multivariate problems”. These 
problems are usually NP-hard. In terms of scalability of the systems, the best 
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problems are those for which all known attacks are exponential: it is then suf- 
ficient to increase slightly the parameter sizes, to keep up with progress in the 
attacks, or with an increase in the speed of computers. One of such problems is 
the problem MQ, of solving a system of multivariate quadratic equations over 
a small finite field. Several public key cryptosystems based on MQ have been 
proposed, for example the HFE family [30,9]. In this paper we study generic 
attacks that solve the underlying MQ problem independently of the existence of 
the trapdoor. They apply also to random quadratic equations. 

At Crypto’99, Shamir and Kipnis present a surprising method called relin- 
earization for solving overdefined systems of multivariate quadratic equations. 
They point out that, if such a system of equations is overdefined (much more 
equations than needed), then it can be solved much faster than expected. Subse- 
quently, at Eurocrypt 2000 [32], Courtois, Klimov, Patarin and Shamir, present 
a new algorithm called XL, (and also FXL) that can be seen as an improved 
version of relinearization. 

From [32] and still at present, very little is known about the exact complexity 
and behaviour of XL. Initially in [32] it was studied mainly over GF{p). Recently 
a lot of interest emerged in solving MQ systems over GF{2) and GF{2^), due 
to the Courtois-Pieprzyk method to attack AES by such means [15,26]. At CT- 
RSA 2002 Courtois and Patarin study the XL algorithm over GF{2) and show 
it works much better than expected from [32] or from the naive criticism of it 
published on the internet [24]. At ICISC 2002, Courtois studies the extension of 
XL to equations of degree higher than 2, and again demonstrates that it works 
very well, allowing to cryptanalyse the stream cipher Toyocrypt, see [7]. The 
object of this paper is to study rather MQ over fields of the form GF{2^), k > 1. 
Such equations appear for example in the signature schemes Flash, Sfiash and 
Sfiash-v2 published at CT-RSA 2002, out of which Sfiash-v2 has been selected 
by Nessie (in company of ECDSA and RSA-PSS). Also, in the fastest known 
alleged attack on AES due to Courtois-Pieprzyk and Murphy- Robshaw [15,26], 
the equations are quadratic over GF(2®). 

2 Notation and Conventions Used in This Paper 

The MQ Problem 

In this paper we consider the problem of solving a system of m multivariate 
quadratic equations with n variables over a finite field GF{q). We use very 
similar notations than in [32] and [14]. The input variables are denoted by Xi 
and belong to GF{q) with q = 2^. The equations are denoted by k and are 
quadratic (which means they can also include linear and constant terms). Our 
system to solve will be: 



{ h{xi,...Xn) =0 

lm{xi,...Xn) =0 
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Given m,n,q we call MQ the problem of finding one (not necessarily all) 
solutions to such a system chosen at random. Typically in cryptographic appli- 
cations, k can be between 4 and 8 and m, n can between 26 and 1600 (for AES, 
see [15,26]). The MQ problem is NP-hard, see [20]. 

Remark: In XL description in [32,14] the powers of variables are taken in 
GF{q), i.e. reduced modulo q to the range 1, . . . , g — 1, because of the equation 
= Xi of the finite field GF{q). Thus if q = 2 there would be no powers of Xi 
bigger than 1. For us it makes no difference, as in all cases studied in this paper, 
we have q > 16 and we will never generate or manipulate equations of degree 
equal or bigger than q — 1. 



Instances of MQ That Will Be Used in This Paper 

If m > n the system is said to be overdefined. Similarly as in [32,14], we will 
see that for a fixed n, the bigger is m, the more easy becomes the MQ problem. 
If m < n the system is said to be underdefined, and efficient algorithms for the 
underdefined MQ has been studied in [5]. In general, following [32,14], we expect 
that the hardest case of MQ is when m « n. 

In practice, if we have a system with n > m, as in the Sflash public key 
[12], we will start by fixing some variables to arbitrary values, get a system with 
m>n, and the try to solve it. (When over GF{2^), it is unclear if one can take 
advantage from the initial n > m, cf. [5].) 

For all our MQ systems we will always insure/assume that the system has 
one and unique solution, we refer to Section 4.1 or to the end of Section 5.1 to 
see why it is very important. To have one unique solution happens frequently in 
cryptographic applications of MQ, and it is also the average number of solutions 
of a random MQ with m = n. Moreover, in practice, for systems that have several 
solutions, we can always reduce to a system having one solution, by guessing a 
few variables. 



Manipulating the Equations 

Because the right hand of all our equations is always 0, it is very useful to identify 
a multivariate polynomial and an equation that says it is equal to 0. Thus the 
equation li{x\, . . . Xn) = 0 can be simply called the equation li, and the equation 
xi ■ hixi, . . .Xn) = 0 can be called simply x\l 2 . 

We say that the equations of the form rij=i 'h = 0, with all the ij being 
pairwise different, are of type x^l, and we call x^l the set of all these equations. 
For example the initial equations A are of type 1. We observe that each solution 
X that satisfies all the equations k, also does satisfy all the equations of type x^l, 
for an^ k > 0. Similarly we denote by x^ the set of all terms of degree exactly 
K , rij=i extension we define x^ = {1}, the constant monomial. 

Let U G IN. We consider all the polynomials ]([j ' h of total degree < D. 

Let Id be the set of equations they span. Id is the linear space generated by all 
the x^l, 0 < k < D — 2. We have Id Gl,I being the ideal spanned by the k 
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We call T the set of monomials, including the constant monomial, that appear 
in all the equations of 



3 The Basic Principle of XL 

Let D be the parameter of XL algorithm. Following [32,14]: 

Definition 3.0.1 (The XL algorithm). Execute the following steps: 

1. Multiply: Generate all the products 0^=1 ' h & with k < D — 2. 

2. Linearize: Consider each monomial in the Xi of degree < D as a new vari- 
able and perform Gaussian elimination on the equations obtained in 1. The 
ordering on the monomials must be such that all the terms containing one 
variable (say a;i) are eliminated last. 

3. Find xi: Assume that step 2 yields at least one univariate equation in the 
powers of xi. Solve this equation over the finite fields (e.g., with Berlekamp’s 
algorithm). There may be several roots. 

4. Recover the other variables: For each root xi substitute it to the ex- 
panded equations and, directly from the Gaussian reduction done in step 
3, find the values of all the other monomials, in particular for all the other 
variables Xi. 

4 The Necessary Condition for XL to Work 

We will always assume q = 2^, A: > 1. We also always assume D < q—1, because 
we will have <? > 16 and and D will remain quite small (XL is exponential in 
D). The XL algorithm consists of multiplying the initial m equations k by all 
possible monomials of degree up to D — 2, so that the total degree of resulting 
equations is D. With the notations introduced above, this set of equations is 
called Jd- Let R be the number of equations generated in Ju and T be the 
number of all monomials. When D < q — 1 we have: 




It is likely that not all of these equations are linearly independent, and we 
denote by Free the exact dimension of Td- We have Free < R. We also have 
necessarily Free < T. 

The basic principle of XL is the following: one monomial in T can be gener- 
ated in many different ways when different equations are multiplied by different 
monomials. Therefore T grows slower than R and for some D we will have R > T. 
Then we expect that Free « T, as obviously it cannot be bigger than T. In [32], 
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when Free > T — D, it is possible to obtain one equation with only one variable 
x\, and XL will succeed. (However in [14] two improved versions of XL are in- 
troduced: XL’ and XL2, that will work when Free < T — T' , for some T' that 
may be substantially bigger then D.) 

Simplified Analysis of XL from [32] 

In Section 6 of [32] , R is evaluated as R = m ■ ^_ 2 )\ T is evaluated as ^ . 
The authors state that “if most of the equations are linearly independent” then 
XL will succeed as long as R>T, which gives that: 
m > &nd thus they obtain the (approximative) bound D > 

4.1 General Theory and Moh’s Comments on XL 

In [24], Moh states that “From the theory of Hilbert-Serre, we may deduce 
that the XL program will work for many interesting cases for D large enough” . 
According to [23], in XL we always have Free < T— a. and when D is sufficiently 
big, we have Free = T — a. Here a is the number of solutions to the system, 
including not only the solutions when xi G Gf{q), but also when the xi lie 
in an algebraic extension of the field GF{q), or projective solutions (points at 
infinity). Thus, on the one side, under our condition that our system has one 
and unique solution, and if there is no projective solutions or in an extension 
field, XL should work and for D large enough we should have Free = T — 1. 
On the other side, this condition is necessary, and when the system has several 
solutions. Free = T — 1 is never achieved and the basic XL cannot work. Thus, 
in Section 4 of [24], Moh shows an interesting example on which the XL always 
fails. However: 

~ For XL over GF{2), it is shown in [14] that this kind of counter-example 
cannot occur, because of the added equations xf = Xi that make that the 
system has no points at infinity, and the additional solutions in the algebraic 
closure of GF{2) are excluded. 

— In this paper we work over GF{2^), k ^ 1 and we will face this problem. In 
Section 6 we will see that XL will not work well when m = n, then in Section 
7 we will present a new version of XL, called XLF, that will work even in 
this case. (In addition, we will see that in practice, if 2^ is not too big, and 
only then, two other already known versions of XL can also circumvent this 
problem. ) 

5 Important Remarks About XL Algorithm over GF{2^) 

Let Free be the dimension of To, i-e. the maximum number of equations that 
are linearly independent. Very little is known about the value of Free for D > 3. 
In the paper that describes XL, the authors demonstrate that XL works with a 
series of computer simulations over GF{127) (and some more are given in the 
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extended version of the paper [32]). In [14,7] the authors study the XL algorithm 
over GF(2). They do many computer simulations and are able to predict the 
exact value Free obtained in these simulations. In this paper we will do the 
same for XL over GF(2^), k > 1. 

5.1 The Behaviour of XL - Upper Bounds 

In general it is not always possible to have Free = R. In many cases the equations 
generated by XL are not all linearly independent. One reason for this is that 
Free cannot exceed T, as the equations lie in a linear space spanned by all the 
T monomials. We have therefore always 

Free < min(T, R) 

Moreover, it is possible to see that if the system is not contradictory, and has 
one solution, then: 

Free < min(T — 1, i?) 

This can be shown by contradiction: if Free = T then by elimination of T — 1 
non-constant monomials, some liner combination of the given equations will be 
1, and if there is a solution to these equations, by substituting it, we get 0 = 1. 

5.2 The Behaviour of XL - Interesting Cases 

As we will see in the present paper, the behaviour of XL over GF{2^), when k 
is not too small, (e.g. A: = 7) is very similar to the general behaviour of XL over 
a big field GF{p) studied in details (with many computer simulations) in [32]: 

— XL works very well for (even slightly) overdefined systems of equations, i.e. 
when m exceeds n by even a small value, cf. Appendix A. 

— However when m ~ n, and as long as the XL parameter D is smaller than 
the cardinal of the field, it is possible to see that XL does not work very 
well for systems of quadratic equations over GF{2^). 

A different behaviour is observed for XL over a very small finite field (such 
as GF{2) or GF{3)): XL works much better and there is no “problem” at all 
when m ~ n. Detailed explanation and many computer simulations for this case 
are given in [14] and in the appendix of [7]. 

6 Our Computer Simulations on XL 

In all our simulations we pick a random system of linearly independent quadratic 
(non-homogenous) equations yi = ... ,Xn) and pick a random input x = 

(xi, . . . , Xn). Then we modify the constants in the system in order to have a 
system that has a solution (and gives 0 in x). The system solve is then of the 
form li(xo, • ■ • , Xn-i) = 0, for i = 1, . . . m. 

In Appendix A we show that for overdefined systems of equations over 
GF{2^), i.e. when m > n + e, XL works very well. Below we study the hard 
case, when m ~ n. 
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6.1 Simulations on XL over GF{2^) when m — n 



Table 1. XL over GF{2^) for m = n 
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Legend: 

n number of variables. 
m number of equations. 

D we generate equations of total degree < D in the Xi. 

R number of equations generated (independent or not). 

T number of monomials of degree < D. 

Free number of linearly independent equations among the R equations, 
o Note: XL will work when Free > T — D. 



It is very interesting to observe the column in bold characters: though already 
for D = 5 XL gives R > T and therefore it could work, it will not work until 
we have D = 16. The difference is quite big: the complexity of the attack grows 
exponentially in D. 

We see that for m = n and over GF{2^) the XL algorithm works very poorly. 
In [32], for simulations over GF{V17), it appears that the minimum degree is 
D = 2”. We observe the same here. The reason for this is, following [32], that 
for m = n the system has many solutions not only in the base field, but also in 
the algebraic closure. 

It is interesting to see that basic XL over GF{2^) becomes impractical already 
for m = n = 5: in this case, doing XL with D = 2^ = 32 would give a complexity 
of about 2"^®, more than exhaustive search in 2^'® = 2^^. Later we will improve 
XL to handle such systems much faster. 

6.2 Simulations on XL over GF{2^) when m — n + e 

We will see that, similarly as in [32], the behaviour of XL will dramatically 
improve when m becomes slightly bigger than n. We do not longer need Z? = 2" 
and XL works about as soon as R becomes larger than T. 

7 XLF - New Version of XL for m ^ n and GF{2^) 

In Section 6.1 we saw that XL does not work very well when m = n and over 
a large field GF{2^). From the analysis done in [32], we expect that this is due 
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Table 2. XL over GF(2^) for m = n + e (notations as for Table 1) 



n 


4 


4 


4 


4 


4 


4 


5 


5 


5 


5 


m 


4 


4 


5 


5 


6 


6 


6 


6 


7 


7 


D 


15 


16 


4 


5 


3 


4 


4 


5 


3 


4 


R 


[2860 12240 


75 


175 


30 


90 


126 


336 


42 


147 


T 


1365 


4845 


70 


126 


35 


70 


126 


252 


56 


126 


Free 


1349 


4829 


65 


125 


30 


69 


111 


246 


42 


125 


t ree 
T-D 


0.99 


1.00 


0.98 1.03 


0.94 1.05 


0.91 1.00 


0.79 1.02 


Success 


1 OK 


OK 


OK 


OK 


OK 



to existence of many additional solutions to our system of equations that lie in 
an extension field. In this section we introduce a new version of XL, called XLF, 
designed specifically to handle this problem over fields GF{2^). XL stands for 
multiply (X) and linearize (L), the new method is called XLF, which stands for 
multiply (X) and linearize (L) and apply Frobenius mappings (F). The basic idea 
of XLF is borrowed from the Murphy- Robshaw representation of AES [26] . Each 
variable x that appears in the system of equations will be duplicated k times, 
instead of Xi, we will have k variables denoted by (a;^), (xf), (xj ), . . . , {xf 
Each equation 0 = CHj^iXj will be also duplicated k times: we will write: 
0 = 6tc. After doing XL expansion we get k times as many 

equations of degree D and k times as many variables as in the regular XL 
execution. Then we add some new equations that relate the new variables to 
each other. For example, we add k ■ n quadratic equations as follows: for each i 
we have (x^) = (x) • (x) up to (x) = (x^ ) ■ ). If D > 4 we have also kn 

equations of type (x^) = (x) • (x) • (x) • (x) etc. Since the equations we added are 
only equalities between monomials, we may as well identify these monomials, 
which is equivalent to counting less monomials. In the extended version of this 
paper we give a precise list of all the monomials that are identified, and formulas 
to compute the resulting reduced number of monomials T. 

7.1 Comparing XLF and XL 

It is easy to see that by this simple trick, all the solutions with Xj ^ GF{2^) will 
be removed, because they cannot satisfy the added equations. We conjecture that 
XLF will work as long as R becomes somewhat bigger than T in the ordinary 
XL, (for example twice as big). This belief is motivated by the paper [14] where 
it is shown that the equations of the field GF{2) make XL always work as long 
as i? > I.IT. 

XLF is expected to work where the original XL fails, as for to « n XL does 
not work well when R > T, as shown in Section 6. XLF uses k times as many 
equations, and k times as many monomials as XL. We expect therefore that the 
complexity of XLF will be only about bigger than the expected complexity 
of XL (if the XL itself does not work). Indeed, our simulations (Table 3) show 
that XLF works very well when XL fails, i.e. even when m = n. 





Algebraic Attacks over GF{2^) 209 

Table 3. XLF algorithm over GF{2^) for m = n (notations as for Table 1). 



n 


2 


2 


2 


3 


3 


3 


3 


3 


m 


2 


2 


2 


3 


3 


3 


3 


3 


D 


2 


3 


4 


2 


3 


4 


5 


6 


R 


14 


42 


84 


21 


84 


210 


420 


735 


T 


22 


50 


64 


43 


113 


176 


323 


449 


Free 


14 


42 


61 


21 


84 


168 


315 


445 


t ree 
T-D 


0.70 


0.89 


1.02 


0.51 


0.76 


0.98 


0.99 


1.00 


Success 






OK 










OK 
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MM 


EM 


4 


4 


m 


ra 


ra 


B 


B 


B 


5 


m 


EM 


EM 


4 


4 


4 


B 


B 


B 


B 


B 


5 


D 


EM 


B 


6 


7 


8 


MM 


B 


B 


B 


B 


8 


R 






1960 


3528 




gQ 






gg] 




16710 


T 






1226 


2066 








[gg 






8128 


Free 


E5!il 




1218 


2058 




gg 






EMil 


EHIil 


8120 


t ree 
T-D 


0^ 


0^ 


0.999 


0.999 






0^ 


0^ 


Qg] 




1.00 


Success 


1 










1 










OK 



We see that XLF behaves much better than XL for solving systems of equa- 
tions over GF{2^) with m = n. For example, with XL, we need D = 2^ = 32 
to solve a system of 5 equations with 5 unknowns, while with XLF = 8 is 
enough. This is an important improvement, because the complexity of both XL 
and XLF is very much the same with an important factor that is exponential 
in D. 



7.2 Relation with Algebraic Attacks on AES 

The idea of XLF algorithm introduced in this paper is closely related to the ques- 
tion of feasibility of an algebraic attack on AES [15]. In the Murphy- Robshaw 
representation of AES, see [26] for details, the equations are written over GF(256), 
and have the same structure as in XLF: for each variable (x) there is a variable 
that is always equal to (a;^), and for each equation, the square of it also present 
in the system. 

These equations may be combined with the Courtois-Pieprzyk XSL attack on 
AES, (XSL is different from XL and beyond the scope of this paper). From the 
values of R and T obtained in XSL it seems that, if sufficiently many equations 
are linearly independent, AES 128 bits would be broken in about 2^°°, see [15,26]. 
However, on a web page entitled “AES is not broken” [25], T.T.Moh unwillingly 
acknowledges that the XL algorithm will work, but objects for XSL and AES 
as follows: “ new considerations of the XL method to the smallest field GF{2) 
with the well-known trick of adding the equations + Xi = 0 to make the 
the component at infinity empty to satisfy the requirement of our Proposition 
2” (...) “Note that this trick can not be used for the AES situation, since the 
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corresponding equations would be xf®® + a:* = 0, the degrees 256 would be too 
high for practical purpose.” 

This is very interesting, because as far as we know, it is the only somewhat 
mathematically founded argument that have been put forward so far, suggesting 
that the Courtois-Pieprzyk-Murphy-Robshaw attack in might not work on 
AES. Yet as we have seen above, this argument is void: the structure of equations 
makes that each of the variables must lie in GF(256). This excludes additional 
roots in extension fields that would make the attack fail. Moreover, it is also 
easy to see that with such equations there will be no points at infinity: if we 
homogenise the equations (xf) = (xi) * (xi) with a new variable (a), we get 
(a) * (xf) = (xi) * (xi), and then if a = 0, all the Xi will be 0, which is a 
contradiction. 

Consequences for AES: Results on XL certainly not prove that the XSL 
attack on AES works. Yet the Moh argument saying it shouldn’t work does 
not apply at all to this specific Courtois-Pieprzyk-Murphy-Robshaw system of 
equations. More generally, this paper shows that it is in general risky, and difficult 
to predict whether an algebraic attack will or will not work. We have seen that 
for (somewhat) deeply mathematical reasons XL does not work very well for 
Sflash. Yet, as we will see later, a subtle and finally quite minor modification of 
XL, such as XLF or XL’, is enough to make it work and break Sflash. 

8 New Attacks on Sflash 

In this section we present three new methods that allow to break Sflash in less 
than the Nessie security requirement of 2®° Triple-DES computations. 



8.1 Applying XLF to Sflash 

In Sflash we have n = 37 and m = 26. Equations are quadratic over GF(2^). We 
fix 11 arbitrary variables to 0 and still expect to have on average one solution. 
Then we apply XLF, the new version of XL. For D = 7 we have R = 7 ■ 4417686 
and T « 7 • 4272048. Though XL does certainly fail here, we expect that XLF 
may work. For D = 7 the complexity would be about T'^ ~ 2®'^. Even if we were 
too optimistic, and XLF works only for D = 10, then we still have an attack in 
T“ « 2®^ CPU clocks which is less than 2®° triple-DES computations required 
by Nessie. 

8.2 Another Attack on Sflash Using XL’ Method from [14] 

In this section we present yet another and even simpler method to break Sflash. 
Instead of XL, we apply the XL’ algorithm from [14]. With classical XL, for 
D = 7 we have R = 4417686 and T = 4272048, however in practice, and Free 
does not take the value > T — D for a very long time. This makes XL fail so 
far. Still, as shown by all simulations of Section 6.1, Free remains very close to 
T — D, and from this we expect that the XL’ version of XL described in [14] will 
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work. We have n = 26 and m = 26. We count all the monomials contain only 
the first 5 variables: let T' be their number, we have T' = = 792. It seems 

very likely that the rank, usually close to T — D, will be at least T — T' + 5. Then 
we are able to eliminate all the monomials that contain any of the remaining 
n — 5 = 26 — 5 = 21 variables, and get a system of 5 equations of degree D = 7 
with 5 variables, with T' = 792 monomials. Such a system can be solved by 
exhaustive search in about 2^'® • 792 • 5 « 2^^. The total complexity of the attack 
will be (2^7 + T“) « CPU clocks. 

8.3 Another Attack on Sflash with Modified FXL 

In this attack we will use the idea of FXL from [32] : guess values of few variables 
in Sflash, solve the system by XL, and then solve the system by XL. FXL leads 
very quickly to an overdeflned system of equations and from [32] and following 
our experiments done in Section 6.2, we expect that after fixing a few variables 
XL will work. 

Moreover, we will be able to do only once most of the Gaussian reduction 
that in FXL is done each time, which will give better results over basic FXL 
from [32]. We proceed as follows: 

1. We start with MQ with m = n = 26 and over GF{2^). 

2. We fix / = 4 variables (this is the optimal choice we have found). 

3. We have 22 variables said of “type a” and / = 4 variables “of type 5”. 

4. We multiply all the equations by all the products of degree up to D = 6 of 
the variables of “type a” . 

5. The number of equations is R = = 388700. 

6. In these equations we will eliminate all monomials of degree exactly D = 6 in 

the variables of “type a”. Their number is exactly T' = = 296010. 

They do not depend on the variables of “type 6” , and can be eliminated once 
for all. 

7. Thus we get R—T' = 92690 equations that are of degree D — 1 = 5 in the 
variables of “type a” . 

8. If we fix a random value for the four variables of “type 6”, then we get a 

system oi R — T' = 92690 equations with T” = = 80730 monomials 

that is sufficiently defined, as 9269 > 80730. 

9. We expect that if the guess for the four variables of “type 6” is correct, then 
the system has a solution and the rank of this system is at most 80730 — 1. 
However if the guess is wrong, we expect the system to be contradictory and 
the rank to be 80730. 

10. We expect that on average exactly one guess will be correct. 

11. The complexity to find the right values for the four variables of “type &” 
with Strassen’s version of the Gaussian reduction is about: 

2^'^ • 7/64 • (80730)'°8=^(^) « 2^^ 

Remark: It is possible to see that the matrices generated in our attacks 
are somewhat sparse and that they can probably still be (slightly) improved by 
using sparse linear algebra. 
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9 Application of Our Attacks to HFE Challenge 2 

The HFE Challenge 2 was published by Patarin in the extended version of [30] , 
with a price of 500 $. In the extended version of this paper we apply exactly “as 
they are” our 3 attacks from Section 8 Results are given in Table 4 and our best 
attack on HFE Challenge 2 gives 2®^. 

10 Conclusion and Perspectives 

The problem MQ of solving a set of multivariate quadratic equations over a finite 
field arises in cryptography (allowing to propose new cryptographic primitives), 
but also in cryptanalysis (for example for AES). In this paper we have studied 
the XL algorithm over GF{2^). We show that it works very well for overdefined 
equations and fails when m ~ n. Then we present XLF, a modified version of 
XL that works also in this case. 

Using XLF, and also with two other versions of XL known as XL’ and FXL, 
we present three new attacks on Sflash, a signature scheme accepted by the 
European Nessie consortium. All these three new attacks are faster than 2®®, 
and the fastest requires about 2®® CPU clocks. They also apply to Patarin’s 500 
$ HFE Challenge 2, and the best gives 2®®. 

In our results, one can notice that XLF is not the best method to break 
Sflash and HFE Challenge 2. This is because 2^ is still not too big. It is possible 
to see that, when 2^ is very big, XLF, introduced in this paper, will be the only 
method known to solve efficiently systems of quadratic equations over GF{2^) 
and with m = n. To summarize: 



Table 4. Summary of the results of this paper. 





XL from [32] 


XLF - new 


XL’ from [14] 


improved FXL 


Sflash-v2 


2282 


267 


258 


2^1 


Sflash- v3 [13], m = 56 




2™ 


2^ 


2™ 


HFE Challenge 2 


2122 


276 


to 

-4 

O 


263 


General MQ, m~n,k big 


fails 


works 


fails 


fails 



In Appendix A of this paper we show that, as in [14], we succeed to predict 
perfectly the behaviour of XL for D < 6, and this is sufficient to cryptanalyse 
current versions of Sflash and HFE Challenge 2. In general, the asymptotic 
behaviour of XL can be studied by the theory of Grobner bases, see [17,18,16,2]. 
We conjecture that complexity of solving MQ systems over a finite field with 
m « n must grow exponentially with n, and even for equations over GF(2), 
the easiest case, it can be shown that applying Buchberger algorithm to ideals 
generated in XL has single exponential worst case complexity, see [16] or [2]. 

Consequences for Sflash and HFE. We did not exhibit any structural 
weakness of these schemes. We simply showed that the proposed parameter sizes 
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are insufficient for the hardness of the generic one-way problem. These schemes 
will resist all the attacks described in the present paper if we increase parameters 
m and n. Thus in Table 4 above we see that the latest updated version Sflash-v3 
from [13] remains very secure. 

Potential consequences for other algebraic attacks such as XSL at- 
tack on AES. We showed that for systems of low degree equations over fields 
GF{2^), it is not hard to avoid additional solutions in the algebraic extension or 
at infinity, that would make algebraic attacks fail. The Frobenius-based transfor- 
mation method (with adding new variables and new equations), inspired by [26] 
and developed in this paper, may be of independent interest: it can potentially 
be applied to various systems of equations solved by various methods. For exam- 
ple equations can be derived from a block cipher, to be later solved by XSL-type 
method [15]. This simple trick (not needed in [15] nor in [26]) can transform an 
attack that does not work, into an attack that does work, while increasing the 
size of equations only k times. 

Note: The extended version of this paper is available from the author. 
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A More Computer Simulations - Predicting the 
Behaviour of XL 

In this section we will show that XL works very well for even slightly overdefined 
systems of equations over GF(2^), i.e. when m exceeds n by even a small value. 
Moreover, we will show, as in [14], how to predict the behaviour of XL, and this 
prediction will in many cases remain valid also when m = n. (the case m « n is 
studied in section 6). 

As before, in these simulations we pick a random system of linearly inde- 
pendent quadratic (non-homogenous) equations yi = fi{xi , . . . ,x„) and pick a 
random input x = {xi, . . . , a;„). Then we modify the constants in the system to 
have a system that has (at least) one solution x. 

A.l The Behaviour of XL over GF{2^) for D — 3 

We have always Free < min(T — l,i?). We have done various computer simu- 
lations with D = 3 and in our simulations, for ZJ = 3, we have always Free = 
min(T — 1, R) or Free = min(T — 1, i?) — 1. 

In the following table we fix n and try XL on a random system of m linearly 
independent equations with growing m and with a fixed D. 

Table 5. XL over GF{2^) for £> = 3 (notations as for Table 1) 
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A. 2 The Behaviour of XL over GF{2^) for D — 4 

When ZJ = 4 we do not have Free = min(T, R) anymore. 

We see that for ZJ = 4 most of the equations are linearly independent. We 
observed that we have always: 

For D = 4, Free = min (t — 1,R — 
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Table 6 . XL over GF{2^) for Zl = 4 (notations as for Table 1) 
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10 
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10 


10 
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t ree 
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0.91 


1.02 


1.02 
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0.89 


0.99 


1.00 


Success 
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The fact that Free = R — (™) when R — (™) < T, means that, in all cases, 
there are (™) linear dependencies between the equations in R. As in [14], we are 
able to explain the origin (and the exact number) of these linear dependencies: 
Let li be the equations names (not expanded, just written as and let [l^j 

denote the expanded expression of these equations as quadratic polynomials. 
Then we have: 

For each i yf j, the above equation defines a linear dependency between the 
equations of XL. This explains the (™) dependencies. 

Example: For example if h = x\x^ + X 4 and = X 2 X\ + x^xr then 

the notation ^ 1 ( 15 ] = [li]l 5 denotes the following linear dependency between the 

l%Xj X}^ . 

I1X2X1 + liXj^xr = I5X1X3 + I5X4. 



A. 3 The Behaviour of XL over GF(2^) for D — 5 

Following the method from [14] and used in the previous chapter, we will try to 
predict the exact number of linearly independent equations that will be obtained 
for D = 5. First of all, we have the (™) linear dependencies of type li[lj] = [li]lj 
that are the same that existed for U = 4. In addition we have dependencies like: 

It gives n ■ (™) dependencies. By inspection we check that for D = 5 we are 
unable to generate any more dependencies. From the above, we expect that: 

For D = 5, Free = min — 1, i? — (n + 1) 

Is that all the linear dependencies ? Apparently yes. 

All our simulations confirm the above formula. 
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Table 7. XL over GF{2^) for Z? = 5 (notations as for Table 1) 
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10 


m 


5 


6 


7 


10 


15 


16 


D 


5 


5 


5 


5 


5 


5 


R 


280 


336 


392 


2860 


4290 


4576 


T 


252 


252 


252 


3003 


3003 


3003 


Free 


220 


246 


250 


2365 


3002 


3002 


Expected 


220 


246 


250 


2365 


3002 


3002 


t ree 
T-D 


0.88 


0.98 


1.00 


0.79 


0.99 


1.00 


Success 






OK 






OK 



A. 4 The Behaviour of XL over GF{2^) when D > 6, . . . 

As in [14], it is possible to continue and give formulas for Free when D = 6 
etc. These formulas are expected to predict the behaviour of XL for any D for 
over defined systems with m > n + e. The results given here are very similar than 
for fields GF{2) in [14], except that in [14] the formulas work also when m = n, 
which is the hard case here. 

The exact formula for all D is unknown. This formula is probably not very 
simple, due to entanglement of linear dependencies: so far we only subtracted 
linear dependencies, yet for a larger D dependencies among these dependencies 
will appear, etc. Apparently for XL over GF(2) the exact number of linearly 
independent equations can be computed from the work of Jean-Charles-Faugere 
[17,18], extending the so called Buchberger criteria, however we do not know if 
the problem is solved for XL over GF{2^), k > \. 
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Abstract. We consider RSA-type schemes with modulus N = p^q for 
r > 2. We present two new attacks for small secret exponent d. Both ap- 
proaches are applications of Coppersmith’s method for solving modular 
univariate polynomial equations [5]. From these new attacks we directly 
derive partial key exposure attacks, i.e. attacks when the secret expo- 
nent is not necessarily small but when a fraction of the secret key bits is 
known to the attacker. Interestingly, all of these attacks work for public 
exponents e of arbitrary size. Additionally, we present partial key expo- 
sure attacks for the value dp — d mod p— 1 which is used in CRT-variants 
like Takagi’s scheme [11]. Our results show that RSA-type schemes that 
use moduli of the form N — p^ q are more susceptible to attacks that 
leak bits of the secret key than the original RSA scheme. 

Keywords: N = p^q, Coppersmith’s method. Partial Key Exposure 
Attacks 



1 Introduction 

We investigate attacks on cryptographic schemes that use public moduli of the 
form N = p'' q for some constant r > 1. Moduli of this type have recently been 
used in different cryptographic designs. Fujioke, Okamoto and Uchiyama [6] 
presented an electronic cash scheme using a modulus N = p^q. Furthermore, 
Okamoto and Uchiyama [10] designed an elegant public-key crypto scheme that 
is provably as secure as factoring a modulus N = p^q. A fast CRT-RSA variant 
using moduli of the form N = p^ q was introduced by Takagi [11] in 1998. The 
larger one chooses r in Takagi’s scheme, the more efficient is the scheme for a 
fixed bit-size of the modulus N . 

Consider an RSA-type scheme with public key (N,e), where N = p'~q for 
some fixed r > 1 and p, q are of the same bit-size. The secret key d satisfies 
ed = 1 mod i^(fV), where (p{N) is Euler’s totient function. We denote by 
the multiplicative group of invertible integers modulo 4>{N). 

In 1999, Boneh, Durfee and Howgrave-Graham [3] showed that schemes with 
moduli of the form N = p^q are more susceptible to attacks that leak bits 
of p than the original RSA-scheme. Using Coppersmith’s method for solving 
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univariate modular equations [5] , they showed that it suffices to know a fraction 
of of the MSBs of p to factor the modulus. It is an interesting task, whether 
schemes with N = p^q are also more susceptible to attacks that leak bits of the 
secret exponent d. In most side-channel attack scenarios (see for instance [7,8]), 
it is more reasonable to assume that an adversary gains knowledge of a fraction 
of the secret key bits than knowledge of the prime factor bits. 

Intuitively, one should expect that crypto-systems with moduli of the form 
N = p^ q, r > 1 are more vulnerable to secret key attacks than the original RSA- 
scheme, since for a fixed bit-size of N the amount of secret information encoded 
in the prime factors is smaller than in RSA. Hence, these schemes should be 
more susceptible to small secret key attacks like the Wiener attack [12] and the 
Boneh-Durfee attack [1]. Likewise, these schemes should be more susceptible to 
so-called partial key exposure attacks that use the knowledge of a fraction of 
the secret key bits like the Boneh-Durfee-Frankel attack [2] and the Blomer-May 
attack [4]. 

In contrast to this intuition, it was stated in the work of Takagi [11] that 

RSA-type schemes with N = p'^ q seem to be less vulnerable to attacks for small 

decryption exponents d than the original RSA-scheme. Namely, Takagi showed 

1 

a generalized Wiener-bound of d < However, we introduce two attacks 

with improved bounds for the size of d. Both new attacks are applications of 
Coppersmith’s method for solving modular univariate polynomial equations [5] . 

Our first attack directly uses the results of Boneh, Durfee and Howgrave- 
Graham [2] for factoring N = p^q. It yields an improved bound of 

d < fVC+iF for r >2. 

Let us compare the results for r = 2: Takagi requires that d < Ni whereas our 
new method works whenever d < Ns . 

Our second method makes use of Coppersmith’s method in the univariate 
case and leads to the bound 

d < rTiF for r >2. 

Interestingly in contrast to the previous bounds, this new bound converges to 
N for growing r instead of converging to 1. It improves upon our first attack 
for all parameter choices r > 3: The second attack requires that d < in the 
case r = 3 compared to d < Nts for our first method. Thus, our first attack 
is only superior to the other methods in the case r = 2. On the other hand, 
moduli of the form N = p^q are frequently used in cryptography and therefore 
they represent one of the most important cases. 

Interestingly, the new attacks for small decryption exponents d have two new 
features which the original Wiener attack and the Boneh-Durfee attack do not 
possess: 

— One cannot counteract the new attacks by choosing large public exponents 
e, since the attacks are independent of the value of e. In comparison, the 
Wiener bound d < N* and the Boneh-Durfee bound d < require 
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that e < 4>{N). It is known that the attacks cannot be applied for any size 
of d if e > or e > respectively. 

— The new attacks immediately imply a partial key exposure attack for d with 
known most significant bits (MSBs). Namely, it makes no difference in the 
attacks whether the most significant bits of d are zero (and thus d is a small 
decryption exponent) or are known to the attacker. In contrast, Wiener’s 
attack and the Boneh-Durfee attack for small decryption exponents do not 
work when the MSB’s are non-zero but known. In addition, the new attacks 
also provide partial key exposure attacks for known least significant bits 
(LSBs). 

Using the first attack, we are able to prove that a fraction of 

1 — 7 — TT of the MSBs or LSBs of d 

[r + 1)^ 

suffice to find the factorization of TV = q. The second attack yields partial key 
exposure attacks that require only a fraction of 

7 777 - of the MSBs or LSBs of d 

(r + ly 

in order to factor N . 

The resulting partial key exposure attacks share the same property as the 
underlying attacks for small decryption exponents d: They do not rely on the size 
of the public exponent e. Note that all partial key exposure attacks mentioned in 
the literature [2,4] are dependent on e and do not work for arbitrary e € 

The new methods are the first partial key exposure attacks that work for all 
public exponents e. 

The reason that all former attacks on RSA-type schemes depend on the 
size of e is that they all compute the parameter k in the RSA key equation 
ed — 1 = k(j){N). In contrast, our new attacks do not require the computation 
of k. Thus, k must not be a small parameter and hence the parameters e and 
d can be increased (thereby increasing k) without affecting the usability of the 
attacks. 

The reason that our new attacks do not require the direct computation of k is 
mainly that for moduli N = p'~q the group order of the multiplicative group is 
4>{N) = p'^~^{p—l){q—l). Thus for r > 2, 4>{N) and N share the common divisors 
p and p^~^, respectively, and this can be used in the attacks by constructing 
polynomials with small roots modulo p (our first attack) and modulo (our 
second attack), respectively. But looking at the equation ed— 1 = k(j){N) modulo 
p (respectively modulo p^~^) removes the unknown parameter k. 

We want to point out that these new attacks are normally not a threat to 
Takagi’s scheme [11]. Since Takagi’s CRT-decryption process only makes use of 
the values dp = d mod p — 1 and dq = d mod g — 1, it suffices to choose an d 
which satisfies ed = 1 mod {p — l)(g — 1). For this kind of public- key /secret-key 
pair (e, d), our previous attacks do not apply. Even worse, normally one would 
not even store the value of d but only the values of dp and dq for the decryption 
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process. Therefore, it is reasonable to assume that an attacker may only get bits 
of dp or dq. Hence, it is an interesting task to derive partial key exposure attacks 
for known bits of dp (respectively dq). 

We show that the partial key exposure attacks of Blomer and May [4] for 
moduli N = pq generalize to the case N = p^q. Interestingly, the results are again 
much better for r > 1. Namely, we present attacks that need only a fraction of 

— - of the MSBs or LSBs of d„ 
r + 1 ^ 

when the public exponent e is small. This shows that Takagi’s scheme is also 
more susceptible to attacks that leak bits of dp than normal CRT-RSA. 

The paper is organized as follows: In Section 2, we review Coppersmith’s 
method for modular univariate polynomial equations [5]. Here, we introduce a 
reformulation of Coppersmith’s orginal theorem that unifies all known applica- 
tions (see [2, 3, 4,5]) of the method in the univariate case. As an example, we derive 
the result of Boneh, Durfee and Howgrave-Graham [3] for factoring N = p"^ q as 
a direct application of Coppersmith’s theorem. The first attack for small d and 
the corresponding partial key exposure attacks are presented in Section 3. In 
Section 4, we describe our second attack. The partial key exposure attacks for 
dp are presented in Section 5. 

2 Coppersmith’s Method and the Result of BDH 

Let us recall Coppersmith’s theorem for solving modular univariate polynomial 
equations [5]. Here, we give the theorem in a slightly more general form than 
originally stated. However, one can prove the theorem in a completely analogous 
way to the reasoning in the original proof of Coppersmith. We give the details 
of the proof in the full version of the paper. 

Theorem 1 (Coppersmith) Let N be an integer of unknown factorization, 
which has a divisor b > N^. Let fb{x) be an univariate, monic polynomial of 
degree 5. Furthermore, let cjv be a function that is upper-bounded by a polynomial 
in log N. Then we can find all solutions xq for the equation fb(x) = 0 mod b with 

2 

|a;o| < cnN~ 

in time polynomial in (log N,S). 

Coppermith formulated Theorem 1 for the special case where N = b. Then 
the bound for the solutions becomes jxoj < cnN~. However, the above formu- 
lation of Coppersmith’s theorem has some advantages: For instance, it is not 
hard to see that the result of Boneh, Durfee and Howgrave-Graham [3] for fac- 
toring N = p'~q with known bits is a direct application of Theorem 1 using the 
polynomial fp (x) = (x p)'^. 

In fact, the following theorem is stated in the original work of Boneh, Durfee 
and Howgrave-Graham for the special case k = 1, but we formulate it in a 
slightly more general way, since we will use this generalization in Section 3. 
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Theorem 2 (BDH) Let N = p^q, where r is a known eonstant and p, q are of 
the same hit-size. Let k be an (unknown) integer that is not a multiple of p^~^q. 
Suppose we know an integer p with 

\kp — p\ < -/V< +1)^ . 

Then N can he factored in polynomial time. 

Let us interpret the result of Theorem 2. In order to factor N it suffices to 
find an integer p which is within the range N of some multiple of p (which 
is not a multiple of N). In the following section, we present our first new attack 
that constructs an integer p with the above property whenever d is sufficiently 
small. 



3 The Attack Modulo p 

We present our first attack for small decryption exponents d and afterwards 
extend this approach to partial key exposure attacks. 

Theorem 3 Let N = p^q, where r >2 is a known constant and p, q are primes 
of the same bit-size. Let (e,d) G Z x puhlic-key/ secret-key pair 

satisfying ed = 1 mod 4>{N). Suppose that 

d < NTIW. 

Then N can he factored in probabilistic polynomial time. 

Proof: We know that 4>{N) = p^~^(p — !)(<? — 1) and therefore the key pair 
(e,d) satisfies the equation 

ed — 1 = kp^~^{p — l){q — 1) for some A; G N. (1) 

Let E be the inverse of e modulo N, i.e. Ee = 1 + cN for some c G N. If if does 
not exist then gcd(e, N) must be a non-trivial divisor of N. 

Note that each possible non-trivial divisor p^ , p^q or q {1 < s < r) does 
immediately yield the complete factorization of N: p® can be easily factored by 
guessing s and taking the root over the integers. On the other hand, p^q 
yields which reduces this case to the previous one. Similarly, q gives 

us p’’. 

Hence, let us assume wlog that the inverse if of e modulo N exists. Multi- 
plying equation (1) by E leads to 

d — E = {Ekp^~^{p — l){q — 1) — cp^~^qd)p. 

Thus, if is a multiple of p up to an additive error oid< N mp' . In order to apply 
Theorem 2, it remains to show that the expression Ekp^~^{p— 1)(9— l) — cp^~^qd 
is not a multiple ofp'^~^q. Since p''~^q divides the second term, this is equivalent 
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to show that Ek{p — l){q — 1) is not a multiple of pq. By assumption, we have 
gcd(_E, N) = 1 and thus it remains to prove that pq does not divide k{p—l){q—l). 
Assume k{p — 1)(<7 — 1) = dpq for some c' G N. Then equation (1) simplifies to 

ed — I = c'N. 



On the other hand we know that eE — 1 = cN. Combining both equalities we 
obtain that d = E mod N. Since d, E < N we have d = E even over Z. It is a 
well-known fact that the knowledge of the secret key d yields the factorization 
of N in probabilistic polynomial time (see for instance [9], Chapter 4.6.1). 

We briefly summarize our factorization algorithm. 



(Mod p)-attack for small d using a modulus N — p^q 



INPUT: (N,e), where N = p^q and ed = 1 mod (j){N) for some d < 
iVUfiR. 



1. Compute E = e~^ mod N. If the computation of E fails, output p, q. 

2. Run the algorithm of Theorem 2 on input E. If the algorithm’s output 
is p, q then EXIT. 

3. Otherwise set d = E and run a probabilistic factorization algorithm on 
input {N,e,d). 



OUTPUT: p,g 



Since every step of the algorithm runs in (probabilistic) polynomial time, this 
concludes the proof of the theorem. 0 



Theorem 3 gives us a polynomial time factoring algorithm whenever a certain 
amount of the MSBs of d are zero. The following corollary shows how the proof 
of Theorem 3 can be easily generalized such that the result does not only hold if 
the MSBs of d are zero but instead if they are known to the attacker. This gives 
as a partial key exposure attack for known MSBs with an analogous bound. 

Corollary 4 (MSB) Let N = p^q, where r >2 is a known constant and p, q are 
primes of the same hit-size. Let (e, d) S Z x ^^6 public-key /secret-key 

pair satisfying ed= 1 mod 4>{N). Given d such that 

I d- d| < NTT^ . 

Then N can he factored in probabilistic polynomial time. 

Proof: The key-pair (e, d) satisfies the equality 

e(d — d) -I- ed — 1 = kp'^~^{p — l){q— 1) for some fc G N. 
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Let E = e ^ mod N, i.e. Ee = 1 + cN for some c G N. If if does not exist, we 
obtain the factorization of N. Multiplying the above equation by E yields 

{d-d) + E{ed - 1) = {Ekp^-‘^{p cp^~'^q{d - d))p. 

Thus, E{ed — 1) is a multiple of p up to an additive error of \d — d\ < iViTTF. 
The rest of the proof is completely analogous to the proof of Theorem 3. 0 

Corollary 4 implies that one has to know roughly a fraction of 1 — of the 

MSBs of d for our partial key exposure attack. We can also derive a partial key 
exposure attack for known LSBs with an analogous bound. 

Corollary 5 (LSB) Let N = p^q, where r >2 is a known constant and p, q are 
primes of the same hit-size. Let (e, d) G Z x ^^6 public-key /secret-key 

pair satisfying ed= 1 mod 4>{N). Given do, M with d = do mod M and 

M > 7V^"LTIF. 

Then N can he factored in probabilistic polynomial time. 

Proof: Let us write d = d\M -\- do, were the unknown d\ satisfies d\ = < 

^ < N( . We have the key equation 

ed\M + edo — 1 = kp^~^{p — l){q — 1) for some fc G N. 

Multiply the equation by if = (eM)“^ mod N. We see that E{edo — 1) is a 
multiple of p up to an additive error of |di| < iVC+ip'. The rest of the proof is 
analogous to the proof of Theorem 3. 0 



4 Attack Modulo ^ 

Our first attack applied Theorem 2 which in turn uses a polynomial with small 
roots modulo p. In our second attack we will construct a polynomial with a small 
root modulo p^~^ and directly apply Coppersmith’s method in the univariate 
case (Theorem 1). This approach yields better results than the first one whenever 
r > 3. 

Theorem 6 Let N = p'^q, where r >2 is a known constant and p, q are primes 
of the same bit-size. Let (e,d) G Z x ^^6 public-key /secret-key pair 

satisfying ed = 1 mod 4>{N). Suppose that 

d<Ni^y. 

Then N can he factored in probabilistic polynomial time. 
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Proof: The key pair (e, d) satisfies the equation 

ed — 1 = kp^~^{p — l){q — 1) for some A: G N. 

Let E be the inverse of e modulo N, i.e. Ee = 1 + cN for some c G TV. In the 
case that E does not exist, gcd{e,N) yields the complete factorization of N as 
shown in the proof of Theorem 3. Multiplying our equation by E leads to 

d — E = {Ek{p — l){q — 1) — cdpq)p'"~^. 

This gives us a simple univariate polynomial 

fp (^) ^ E 

with the root xq = d modulo p^~^. 

Thus, we have a polynomial fp -i of degree i5 = 1 with a root xq modulo 
p^~^. In order to apply Theorem 1, we have to find a lower bound for in 
terms of N. 

Since p and q are of the same bit-size, we know that p > ^q. Hence p^~^ = 
This gives us 



1 /I 1 -1 

Thus, we can choose f3 = and apply Theorem 1 with the parameter 

choice 13, 6 and cn = 4. We can find all roots xo that are in absolute value 
smaller than 



2 f -1 2( -1) , 1 f -1\2 2 r -1 \2 

4N~ = (+i)iog +iog^ > “THi— = 



Hence, we obtain the value Xg = d. We can run a probabilistic factorization 
algorithm on input {N, e, d) in order to obtain the factorization of N in expected 
polynomial time. 



Remark 7 Another (deterministic) polynomial time method to find the fac- 
torization of N could be the computation of gcd(ed — 1,1V). Since ed — 1 = 
kp^~^(p— l){q — 1), the computation yields a non-trivial divisor of N iff pq does 
not divide k{p— 1 )(< 7 — 1), which is unlikely to happen. As shown in the proof of 
Theorem 3, a non-trivial divisor of N reveals the complete factorization of the 
modulus. So in practice, one might try this alternative gcd-method first and if it 
fails, one applies a probabilistic algorithm on the key-pair (N,e,d). 



Let us summarize our new factorization algorithm. 
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(Mod p’’)-attack for small d using a modulus N — q 



INPUT: (N,e), where N = p'' q and ec? = 1 mod ^(N) for some d < 



1. Compute E = e~^ mod N. If E does not exist, compute gcd{e,N) and 
output p, q. 

2. Apply the algorithm of Theorem 1 on input N, fp -i = x — E, (3 = 

and Cat = 2. This gives us the value d. 

3. If the computation gcd(e<i — 1, N) yields the factorization, EXIT. 

4. Run a probabilistic factorization algorithm on input {N, e, d). 



OUTPUT: 







Every step of the algorithm can be computed in probabilistic polynomial time, 
which concludes the proof of Theorem 6 0 



Similar to the first attack (the (Mod p)-attack) for small decryption exponent 
d, we can also easily derive partial key exposure attacks for the new attack of 
Theorem 6. The proof of Theorem 6 shows that in order to find the factorization 
of N, it suffice to find a linear, univariate polynomial fp -i{x) = x + c with a 

root xq, |xo| < modulo 

We will show that this requirement is satisfied in the following partial key 
exposure attacks. Instead of using small decryption exponents d < = 

4 

N UfiR ^ the attacker has to know a fraction of roughly of the bits of 

N in order to succeed. 

Corollary 8 (MSB) Let N = p''q, where r >2 is a known constant and p, q are 
primes of the same hit-size. Let (e, d) G Z x ^^(Ar) he the puhlic-key /secret-key 

pair satisfying ed= 1 mod 4>{N) . Given d with 

\d-d\< 

Then N can he factored in prohahilistic polynomial time. 

Proof: We know that 



e(d — d) + ed— 1 = 0 mod (j){N ) , 

and (j){N) is a multiple of Multiply the equation by if = mod N, which 
gives us the desired linear polynomial 



fp -1 (x) = X + E{ed — 1) 
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with the small root xq = d — d, |xo| < n( +i) modulo The rest of the 
proof is analogous to the proof of Theorem 6. 0 



In a similar fashion, we derive a partial key exposure attack for known LSBs. 

Corollary 9 (LSB) Let N = where r >2 is a known constant and p, q are 
primes of the same hit-size. Let (e, d) € Z x ^^6 public-key /secret-key 

pair satisfying ed= 1 mod 4>{N). Given do, M with d = do mod M and 

M > IV mV. 

Then N can he factored in probabilistic polynomial time. 

Proof: Let us write d = diM + do. Then the unknown parameter satisfies 

di<^<iv(vr . For the key-pair (e, d) we have 

e{diM -\- do) — 1 = 0 mod 4>{N), 

where (j){N) is a multiple of p^~^. Multiplying this equation by if = (eM)“^ 
modulo N gives us the desired linear polynomial 

fp ~i{x) =x-\- E{edo - 1) 

with the small root di modulo p^~^. The rest of the proof is analogous to the 
proof of Theorem 6. 0 



5 Partial Key Exposure Attacks for dp = d Modulo p — 1 

The partial key exposure attacks that we consider in this section for moduli 
N = p^q can be considered as a generalization of the results of Blomer and 
May [4]. The attacks are an application of the theorem of Boneh, Durfee and 
Howgrave-Graham (Theorem 2). 

We derive simple partial key exposure attacks for small public exponents e 
in both cases: known MSBs and known LSBs. The new attacks are a threat to 
schemes that use CRT-decoding (for instance Takagi’s scheme [11]) in combina- 
tion with small public exponents. 

Let us state our LSB-attack. 

Theorem 10 Let N = p^ q, where r >1 is a known constant and p, q are primes 
of the same hit-size. Let e he the public key and let dp satisfy edp = 1 mod p — 1. 
Given do , M with do = dp mod M and 

M > 27V VlF. 

Then N can he factored in time e • poly{log{N)) . 




228 Alexander May 



Proof: Let us consider the RSA key equation 

edp — 1 = k{p — 1) for some fc G Z. 

Since dp < (p — 1), we obtain the inequality k < e. Let us write dp = d\M + dg. 
We can bound the unknown di by di < -^ < TVmF . Our equation above can 
be rewritten as 

ed\M + edo + k — 1 = kp. 

Compute the inverse E of eM modulo N, i.e. EeM = 1 + cN for some c G N. 
If E does not exist, we obtain from gcd(eM, N) the complete factorization of N 
as shown in Theorem 3. Multiplying our equation with E leaves us with 

di + E{edo + k — 1) = {Ek — cp^~^qdi)p. 



Thus, E{edo + /c — 1) is a multiple of p up to some additive error di < N ( . 

Since the parameter k is unknown, we have to do a brute force search for k in 
the interval [1, e). In order to apply Theorem 2, it remains to show that the term 
(Ek — cp'^~^qdi) is not a multiple of p^~^q. This is equivalent to the condition 
that p^~^q does not divide Ek, but we know that gcd(if, A^) = 1 and thus p^~^q 
must not divide k. But p^~^q cannot divide k in the case e < p^~^q and otherwise 
we can easily check the condition by computing gcd{k,N) for every possible k. 
The algorithm of Theorem 2 yields the factorization of N for the correct guess 
of k. 

We briefly summarize our factorization algorithm. 



Algorithm LSB- Attack for dp and moduli N — q 



INPUT: - {N, e), where N = p'^q and dp satisfies edp = 1 mod p — 1 
- do, M with do = dp mod M and M > 2N < 



1. Compute E = (eM) ^ mod N . If the computation of E fails, find the 
factors p,qoi N using gcd(eM, N). 

2. FOR yfc = 1 TO e 

(a) If gcd(/c, A) > I find the factors p, q. 

(b) Run the algorithm of Theorem 2 on input E{edo + /c — 1). If the 
algorithm’s output is p, q then EXIT. 



OUTPUT: p,q 



The running time of the algorithm is e-poly(log N), which concludes the proof. 0 



Note that our method from Theorem 10 is polynomial time for public expo- 
nents of the size poly(log(A)) and requires only a ^^q^yj^-fraction of the bits (in 
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terms of the size of A^), which is a ^:^-fraction of the bits of dp. The following 
theorem gives us a similar result for partial key exposure attacks with known 
MSBs, but in contrast the method is polynomial time for all public exponents 
e < N ( +1)^ . 

We show that an approximation of dp up to N ( +i)^ “ suffices to find the 
factorization of N. Note that dp is of size roughly N~ . Hence in the case a = 0, 
a fraction of of the bits is enough (in terms of the size oiN). 

Theorem 11 Let N = p^q, where r > 1 is a known constant and p, q are 
primes of the same hit-size. Let e = N°", a G [0, fffiT 5 -] be the public key and let 
dp satisfy edp = 1 mod p — 1 . Given d with 

\dp-d\< ivrw“. 

Then N can he factored in polynomial time. 

Proof: We know that 

edp — 1 = k{p — 1) for some fc G N, 

with k < e. The term ed is an approximation of kp up to an additive error of 
\kp — ed\ = \e{dp — d) + fc — 1| < |e(dp — d)| + |fc — 1| 



< ivrTTF + < 2N ( +1)^ . 

Thus, one of the terms eddcNTTW satisfies the bound of Theorem 2. Note that 
the algorithm of Theorem 2 can be applied since k < e < N mF and thus k 
cannot be a multiple of p'"~^q = f2{N~). 

Let us briefly summarize the factorization algorithm. 



MSB- Attack for dp and moduli N — q 



INPUT: - {N, e), where N = p'^q and dp satisfies edp = 1 mod p — 1 
- d with \dp — d| < AU+TF where a = logjv(e). 



1. Compute p = ed. 

2. Run the algorithm of Theorem 2 on input p + A LTTR . if the algorithm’s 
output is p, q then EXIT. 

3. Otherwise run the algorithm of Theorem 2 on input p — AU+ip'. 



OUTPUT: p,q 



The algorithm runs in time polynomial in log(A), which concludes the proof. 0 
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Abstract. Strong notions of security for unconditionally secure digital 
signature schemes (USDS) were recently proposed where security is de- 
fined based on notions of security in computationally-secure digital sig- 
natures. The traditional area of unconditionally secure authentication, 
however, is that of “authentication codes” (A-codes). Relations between 
primitives is central to cryptographic research. To this end, we develop 
a novel “general group-based A-code” framework which includes known 
types of group A-codes and their extensions, including the newly pro- 
posed USDS, and also allows other models to be systematically described 
and analysed. In particular, information theoretic analysis of these codes 
can be applied to USDS, establishing fundamental bounds on USDS pa- 
rameters. 

A second contribution herein is a modular algebraic method of synthe- 
sising group codes from simpler A-codes, such that security of the group 
code follows directly from the component codes. We demonstrate our ap- 
proach by constructing and analysing a USDS satisfying the ‘strongest 
security notion’. 



1 Introduction 

Digital signatures are the basic authentication primitive in modern cryptography. 
They are known to be equivalent to the existence of one-way functions, and thus 
to rely on computational assumptions [12]. There are, however, settings where 
reliance on computational assumptions is inappropriate (typically for small mu- 
tually distrusting groups of entities that do not know each others computational 
or technological advantages, e.g. advances in quantum computations, as is the 
setting between nations) . The alternative model for secure authentication, when 
there is no assumption regarding adversaries computational power, has been 
A-codes as suggested by Simmons [16]. This was indeed motivated by authenti- 
cation procedures between the USA and USSR regarding treaty verification. 

In recent years a number of unconditionally secure digital signature schemes, 
both in interactive [2] and non-interactive settings, have been proposed. We con- 
sider a non-interactive setting where a trusted Key Distribution Centres (KDC) 
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or trusted authority (TA) generates and distributes the key information of sys- 
tem participants. The two main approaches satisfying these assumptions are due 
to Johansson (J99) [11], who considered a variant of multireceiver authentication 
codes with an untrusted sender and an arbiter, and called it Unconditionally Se- 
cure Digital Signature (USDS), and Hanaoka, Shikata, Zheng, and Imai [7, 15] 
(referred to as HSZIOO and SHZI02, respectively) who recently proposed a range 
of new security notions for USDS. In Eurocrypt 2002 [15], the authors formalised 
their approach independent of the theory of A-codes, and proposed the ‘strongest 
notion’ of security for USDS without reference to these codes. They constructed 
a USDS that provided the ‘strongest security notion’. 

To understand these proposals we develop a unified framework allowing eval- 
uation of USDS schemes within the domain of A-codes. We view the work and 
scenarios of HSZI00/SHZI02 as providing motivation for studying A-code gener- 
alisations. One may mistake the use of new notions in HSZI00/SHZI02 to mean 
extensions of this theory cannot capture the new settings (and that perhaps a 
new type of theory, similar to that for conditionally secure signatures, is needed) . 
We believe our work puts things in order, in this respect. 

A second contribution of this paper is proposing a modular algebraic method 
for synthesising group A-codes. This is particularly important because construct- 
ing A-codes for complex authentication scenarios can become a formidable task 
and approaches that allow ‘re-use’ of proven secure schemes as building blocks 
will provide an attractive option. 



Review of A-codes 

Unconditionally secure authentication codes were first constructed in [6] and 
then modelled and analysed in [16]. The original A-codes were symmetric key 
primitives for communication between two honest participants, secure against 
spoofing attacks. Simmons derived the first information theoretic bound on im- 
personation, bounds on higher order spoofing were later obtained [10, 18]. 

Simmons [17] also considered A^-codes in which sender and receiver are 
distrusted. The sender may deny a sent message, and a receiver may substitute 
a received message or try to ascribe a message to the sender. A^-codes are 
asymmetric primitives in which the sending and receiving keys differ. Simmons 
showed the need for a trusted arbiter, with the key information of the sender 
and receiver, to resolve disputes. In A^-codes [1, 3] the trust in the arbiter is 
reduced and the arbiter may attempt to construct fraudulent messages. 

Group-based A-codes were introduced by [4] and extended by [5, 11, 13, 
14]. In multireceiver A-codes (MRA) [4] a sender constructs an authenticated 
message that is verifiable by each member of a verifier group. The sender is 
trusted but receivers may collude to construct a fraudulent message on behalf of 
the sender. In (J99) [11] the senders are distrusted, and the resulting system was 
called an Unconditionally Secure Digital Signature (USDS). In this model the 
sender may deny his constructed message. We call this model an MRA^-code, 
since the trust assumption is most similar to A^-codes. 
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Requirements of a USDS 

In a USDS scheme signers and verifiers are distrusted. They may try to forge 
signed messages, or repudiate their own signed messages. Let U denote a set of 
distrusted participants. Any Ui G U can sign a message that is verifiable by all 
Uj G U. An important property of standard digital signatures is that if Ui obtains 
a signed message from Uj he can convince U(, that the message is from Uj] this 
is called transferability. We require the following properties to be satisfied. 

Transferability: Uj can convince any Uk & U,k {i,j}, the message is from Ui. 
Unforgeahility: A colluding subset C C U has a negligible probability of con- 
structing a fraudulent message that is acceptable by a group member Uk as 
signed by Ui, where: 

(i) Ui G C , and can deny the message, {non-repudiation). 

(ii) Ui ^ C, and the message is not generated by Ui. 

These properties match the requirements of the first unconditionally secure 
signature (interactive) protocol [2], and are closest to those achieved in compu- 
tationally secure signature schemes. An important difference between computa- 
tionally and unconditionally secure digital signatures is that in USDS verification 
cannot be a public process, and so secret keys are needed, which, as noted in 
[11, 13, 15], must be different for each group member. 



Our Results 

We propose a common framework for modelling and analysing asymmetric group 
A-codes and USDS schemes. We introduce authentication and verification or- 
acles which adversaries interact with to obtain spoofing information. We also 
introduce authentication scenarios and outline a general way of expressing se- 
curity goals and adversary’s power. We give a generalised bound that applies 
in such scenarios. Our work suggests numerous variations on defining security 
goals of a group-based A-code and adversaries power. Critically, the framework 
allows information theoretic security and efficiency evaluations for USDS. 

We also propose a methodical approach to synthesising complex group-based 
USDS systems with provable security, starting from simple component systems 
with provable security. This approach is algebraic and while sometimes pro- 
viding less efficient constructions it avoids some disadvantages of combinatorial 
synthesis. Furthermore, security proofs follow from security of components. 

The rest of the paper is organised as follows: In section 2 we recall parts of 
A-code theory. In section 3 we propose our model of asymmetric group authen- 
tication codes (USDS) and show how previous USDS models fit in this frame- 
work. Section 4 contains the new design methodology with concrete construc- 
tions, while section 5 sketches our general framework for group authentication. 
Finally, section 6 contains our concluding comments. 
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2 Preliminaries 

An authentication code may be represented as a 4-tuple, C = (S,M,£,f), 
where S,A4,£ are the sets of source states, messages and keys, respectively. The 
function f : S x £ ^ A4 takes a source state s, a key e and generates the corre- 
sponding message m. The function / defines two algorithms; an authentication 
algorithm used by the sender to generate an authenticated message, and a verifi- 
cation algorithm used by the receiver to verify a received message. There is also a 
key generation algorithm that generates key information for the system. We use 
systematic Cartesian A-codes, wherein the messages are of the form (s,t), where 
the tag t is used to authenticate the source state s. Such an authentication code 
is represented as a 3-tuple C = (5, A,£) with t = e(s),e € £,s € S, and A being 
the set of tags (or authenticators). A-codes are symmetric key systems and the 
secret key is shared by sender and receiver, who are assumed to be trusted. 

An attacker may inject a fraudulent message into the system (an imper- 
sonation attack), or construct a fraudulent message m' after observing a valid 
message m (a substitution attack). In both cases the attacker succeeds if the 
fraudulent message is accepted. The best success probability of the attacker in 
the two attacks are denoted Pi and Ps, respectively. A message m is valid for a 
key e if TO S A4(e), where e is the key shared by the sender and receiver. Security 
of an A-code is defined by the attackers best success probability in the attacks. 

Pt = max »(to is valid for e) = max p(m' is valid for elm) . 

meM m'eM\{m} 

An A-code has e-security if the success probability of any attack is at most e. 

In A^-codes one considers signer’s denial attack and receiver’s impersonation 
and substitution attacks. In A^-codes [1, 3] fraud by the arbiter is treated also. 

Authentication systems may provide security for more than one message. In 
spoofing of order t, the attackers have access to up to t authenticated messages. 
Order 0 and I spoofing are impersonation and substitution, respectively. Codes 
that provide security for t-messages are denoted as tA, tA^ and tA^-codes. 

Efficiency parameters of an A-code include participants key sizes, and the 
length of the authenticator. Performance bounds provide fundamental limits on 
these parameters for a given level of security, or alternatively bound the security 
level for a given set of parameters. Two types of bounds are derived for A-codes: 
information theoretic bounds on the success probability of attacks in terms of 
information theoretic measures, and combinatorial bounds on the sizes of the 
key spaces and authenticator in the system. Information theoretic bounds for 
A-codes were given in [6, 16] and later derived for other models [11]. 

Group-based A-codes (the subject of this work) were introduced in [4] and 
developed by numerous authors [5, 11, 13, 14]. Multireceiver A-codes (MRA- 
codes) allow a single trusted sender to send a message to a group of receivers such 
that each receiver can individually verify the message. A (e,w,n)- MR A-code 
is an MRA-code for which the success probability of the best attack (imper- 
sonation and substitution) for a colluding group of w verifiers is less than e. 
Information theoretic bounds and constructions for such codes are given in [13]. 
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2.1 Constructions 

Numerous constructions of A-codes have been proposed (for example [4, 13, 14, 
16]). We briefly recall constructions to be used in this paper. 

Polynomial A— code [4] (Cq) Consider the A~code defined by the function 
f(x) = a + bx, where (a, b) G is the key and the authenticator for the source 
state s G Fg is given by /(s). This code satisfies Pj = Ps = l/q. 

Polynomial {e,w,n)— MR A— code [4] (Ci) The sender has two polynomials 
f{x) and g{x), both of degree at most w, with coefficients over Fq, the finite 
held with q elements. Each receiver Ui is given {m, f{ui),g{ui)), where Ui G Fg is 
public and Ui ^ Uj,i ^ j- To authenticate a source state s, the sender constructs 
the tag a{x) = f{x) + sg{x) and appends it to s. The receiver Ui accepts a 
message (s, a(a:)) as authentic if f{ui) + sg{ui) = a{ui). The construction has 
e = 1/q and is optimal with respect to tag length, and key sizes. 

3 Asymmetric Authentication in Groups: USDS 

We consider systems where no participant is trusted (except, possibly the ar- 
biter), and where participants’ keys are only known to themselves, hence the 
term asymmetric. We focus on single signer schemes. 

3.1 A General Framework for Single Signer Group A-codes 

There is a set U = {Uo,Ui, . . . ^U^Ua} of distrusted participants, each with 
secret key information. The set U contains n verifiers, an arbiter Ua, and a 
signer Uq- A message signed by Uq is acceptable to all verifiers. We assume the 
arbiter has the algorithm and key information of a verifier, so the arbiter’s key 
information is the same as a verifier’s. Arbitration is performed by applying 
the verification algorithm to a ‘suspect’ signed message and using the result to 
resolve the dispute following arbitration rules. 

Each user has a distinct identity encoded in the source state: for example the 
source state can be the concatenation of the user’s identity and the information 
signed. The signer wants to sign s G 5 so any verifier can verify the signature. 

The adversary can corrupt a group C, of at most w verifiers, and possibly the 
signer and/or the arbiter. This is the model in earlier group-based A-codes and 
USDS. Including the arbiter assesses security under extreme attack conditions. 
One assumes, however, the arbiter follows the correct arbitration rules. 

We consider the following types of attacks. 

1. Uo & C. A denial attack where Uq signs a message, then denies it. Colluders 
succeed if, following arbitration, the message is deemed not from Uq. 

2. Uq ^ U. In this case the attack is one of the following types. 

• spoofing attack: The collusion constructs a message valid for a verifier. 

• framing attack: The colluders construct a message attributable to Uq and 
acceptable to a verifier. We note the verifier, in this case, may be part 
of the collusion. 
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In spoofing attacks colluders succeed if their fraudulent message is acceptable 
to a target verifier. The message may or may not be valid for (constructible by) 
Uo. 

We remark that HSZIOO introduced an attack against transferability, called 
‘transfer with a trap’. We show in section 3.2 that this attack has less chance of 
success than the above attacks and therefore need not be considered separately. 

The above requirements are reminiscent of M RA-codes and thus we will use 
the term MRA^-codes and MRA^-codes when the arbiter is, or is not, trusted. 
With a trusted arbiter, a signer’s denial attack succeeds if the colluders construct 
a message m where m ^ A4{eT), Gt being the key, ca the arbiter’s key distinct 
from all e^, which denote the key of Ui. 

We use Ei,Ex,EA and Eq to denote sets of keys associated with verifier 
Ui, signer Uq, arbiter Ua, and collusion Eq, respectively. The success in denial 
attacks can be measured by the probability of a verifier Ui accepting the message, 
m G M{ei), but the arbiter not, i.e., m ^ M{eA)- In verifier’s spoofing attack 
the message must be valid for a verifier Uj and so m G A4(ej), while in verifier’s 
framing attack m G M-^ex) and m G Ai{ei) for some verifier Ui. 

Security of an MRA^ code against the above attacks can be defined using 
probabilities, 2 ^ Prs^ 1 2 ^ Prs^ ^ ^ • In the first attack the collusion 

includes the signer, in the last two it does not. Each probability is obtained as the 
best success probability of colluders. The superscripts represent colluders ability 
to collect information on uncorrupted verifiers’ keys by oracle interaction. 



Colluders Information 

Colluders have their key information. In traditional A-codes colluders may also 
have access to prior authenticated messages sent over the channel. We model 
such observations by queries to oracles that implement users algorithms with 
users key information. We consider two types of oracles. 

Authentication oracles (A— oracles) implement the authentication algorithm 
with the signer’s key. When presented with an Authentication query (A-query), 
consisting of a source state s G 5, the A-oracle generates the signed message 
m = (s,t) (or just the signature t). 

The impersonation and substitution attacks in traditional A~codes corre- 
spond to the case that 0 and 1 A-queries are allowed, respectively. 
Verification oracles (V— oracles) implement the verification oracle with a 
particular verifier’s key (as in SHZI02). On input (s,t), the V-oracle generates 
a TRUE/FALSE result. The queries to this oracle are called V-queries. 

If the arbitration algorithm is different for the verifier’s algorithm, we also 
need to consider an arbitration oracle. 

In symmetric A-codes, A-oracles and V-oracles have the same information; 
i.e. they implement the same algorithm with the same keys but in asymmetric 
systems, the oracles have different keys. 

A V-query against a verifier Ui gives information about the verification key of 
Ui- If verifiers use the same verification algorithm with different keys chosen using 
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the same algorithm (for example random selection with uniform distribution), 
then the average information from a query will be the same for the two queried 
verifiers. 

Attacks will be against a target verifier. The ^-queries against this verifier 
will intuitively be expected to be more ‘useful’ than a query against a non- 
targeted verifier. Thus we define Type Vi— queries (V2— queries)] as being 
made to a non-targeted (targeted) verifier. 

Security Evaluation 

Let ec = {sj : j G C} be the colluders key set. 1 2 ^ Prs* ^ ^ and P^p ^ ^ 

denote success probabilities given tA A-queries, ty, Ei-queries to each non- 
targeted verifier and V2-queries. Let Q{tA, tvi , ty^) and R{tA, Wi , ty^) denote 
the sequence of queries and responses, respectively and let {Q, R){tA,ty^,ty^) 
denote the pair of queries and responses. 

pt^ 1’* ^ =iAaxmax maxP(m is valid for Ui, invalid for UA\ec, (Q, R){tvnty2)) 
U Cdti ^ 

m^M{e ) 

Q(i 2) 

P^RS* ^ = max max P{m is valid for [/jjec, (Q, P)(tA, 

CcXA ^ 

u tcQ(t ,t 2) 

Ppp* ^ = max naax P{m is valid for Uo\ec,{Q, R){t a, tyj^,ty^)) 

U Q(t ,t\,t 2) 

We say a system is {e, w,n,t a, ty^,ty^) -secure if the success chance of the 
best attack when tA queries of type A, ty^ queries of type Vi and ty^ queries of 
type V2 are allowed, is at most e. 

Adaptive and non adaptive queries 

In the model we allow the queries to be asked in an arbitrary order. The 
success probability considers all possible interactions involving t A-queries, tvi 
Vi -queries and ty^ V2~queries and is maximised as the attacker’s best strategy. 

MRA^— codes are similarly defined but the arbiter may in the collusion. In our 
model we assume the arbiter has the key information of a verifier. This means 
security of an M RA^-code against a collusion containing Ua and w verifiers can 
be achieved by a (e, w + 1 , n)-M RA‘^-code. Generally, success probability of the 
collusion attacks involving a dishonest arbiter must be considered. 

A queries and E queries 

Although distinguishing among the query type is important for efficiency 
of constructions, we can guarantee some security against E-queries even if we 
only consider A-queries. The following Lemma shows protection against Vi~ 
queries can be obtained by constructing codes providing protection against larger 
collusions. 

Lemma 1. An (e, ic, n, t, 0, 0)-Mi?A^ provides e-security against collusions of 
size w — V, assuming colluders can have t A-queries and any number of V\- 
queries against v verifiers. 
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This result follows since the information gained by hd -queries to Ui at most 
equals the key held by 17^, which would be yielded up were Ui in the collusion. 

V 2 -queries provide information on the target verifier’s key. For secure codes, 
one expects to obtain less information from queries resulting in FALSE compared 
to those giving TRUE. This is since the probability of the former type of queries 
is expected to be higher than that of the latter. 

3.2 Security Notions in HSZIOO and SHZI02 

One main aim of developing our framework is to unify USDS, including SHZI02. 
We address this here. HSZIOO correctly recognised the inadequacy of MRA and 
DMRA-codes as USDS and argued that multireceiver A-codes make sense only 
in a broadcast environment [7, p.l32] and [8, p.69]. 

The term ‘multireceiver’ in the A-code context refers to the property: any 
receiver who receives the authenticated message can verify it. This is exactly as 
required in signature schemes. Multireceiver schemes do not ‘require’ that the 
signed message be received simultaneously by all group members. Rather they 
guarantee that if any group member receives the signed message then they can 
verify it. However, as noted earlier, M RA-systems assume a trusted sender and 
so do not provide security against attacks by collusions including a distrusted 
signer. The model proposed in section 3.1 assumes the signer is distrusted. 

The following Lemma shows we need not consider ‘transfer with a trap’ (so 
named by HSZIOO) attack. In a ‘transfer with a trap’ colluders construct a forged 
message that is acceptable to Ui and not Uj or Ua, and so when Ui presents the 
message to Uj, Ui is trapped. Here the colluders may include the signer. 

Lemma 2. The success probability in ‘transfer with a trap’ is at most equal to 

rnaxjP;,-* n- 

Proof. If the signer is part of the collusion the attack succeeds ii (i) the message 
satisfies the requirement for a successful denial attack, and (ii) is furthermore 
unacceptable to some receiver Uj. If the signer is not part of the collusion the 
attack succeeds ii (i) the message satisfies the requirement for a successful spoof- 
ing attack, and (ii) is not acceptable to both the receiver Uj and the arbiter U a- 
Success in transfer with a trap requires two conditions to be satisfied and thus 
has less chance of success than plain denial or spoofing attacks, respectively. 

SHZI02 introduced a wide range of new security notions closely following 
computational models. They considered the ‘strongest security notion’ for their 
proposed construction. In our model of asymmetric group A-codes, we consider 
the most powerful collusion, with the most useful information, using their best 
strategy, with success defined by success against a single verifier. The most pow- 
erful collusion includes the signer and the arbiter, with their key information 
and access to oracle queries, and the attack goal is constructing ‘a message’ ac- 
ceptable to ‘a verifier’ (in SHZI02 notation, existential forgery and existential 
acceptance). This is the same as the ‘strongest security notion’ in SHZI02. 
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Other types of forgeries in SHZI02 are Total break and selective forgery which 
are harder to achieve and, while expressible in our framework, are of less interest. 
Similarly, colluders information can be restricted to key information only {Key- 
only attacks)] i.e. disallow queries. As mentioned earlier, we consider all valid 
query sequences (§3.1), so adaptive queries need not be considered. 

SHZI02 define other security goals {Total and selective acceptance), both 
harder to achieve than the existential acceptance considered in our model and 
used in the ‘strongest security notion’. 

SHZI02 [15] note “t/ie strongest signature scheme is one secure against ex- 
istential acceptance forgery under adaptive chosen message attack and adaptive 
chosen signature attacks’^ and use this model for their constructions. The se- 
curity model of MRA^-codes, matches this definition. In section 5 we give a 
language to express a wide range of security models in authentication scenarios. 
The value of particular scenarios depends on practical applications. 

Information theoretic bounds 

Establishing the relationship between USDS in HSZIOO and SHZI02 models 
and multireceiver codes allows us to derive information theoretic bounds for 
USDS. We give bounds for the attacks defined in section 3.1. Since the arbiter is 
treated as having a verifier’s information, the bounds for arbiter inclusive attacks 
are the same as the bounds for a collusion of size w -I- 1. These bounds consider 
A-queries only and so the query set is Q{tA), with (Q, R){tA) the message and 
response set. We use M' = M\Q{tA) to denote the rest of the message space 
and Ec for the keyspace of colluders. 

Pd > ,(Q.«)(t )) 

pt > 2~Tm'-,e \e ,(Q,fi)(i )) 

RF — 

The bounds when U-queries are considered remains an open problem. 



{t,w,n,tA)-MRA -> — {t,w,n,tA)-MRA^ — 



(e, w, n, tA, tvi , tv 2 (-secure 



{e,w,n,tA)-MRA^ 

(e, w, n, tA, W)-secure 



Fig. 1. The relationship between different types of security notions for authenti- 
cation codes. We use A^ B to imply that a code of type A satisfies the security 
requirements of a code of type B. All codes, except for {e,w,n,tA)~MRA, are 
types of USDS. The {e,w,n,tA,tv) code satisfies the strongest security notions 
of SHZI02 with tA A-queries, tv Vi queries and ty — 1 V 2 queries. We note 
the two rightmost USDS are essentially the same and the distinction lies in 
seperating Vi and V 2 -queries. 
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4 Constructions 

In constructing group 4-codes the challenge is to have secure and efficient con- 
structions. Optimal constructions meet minimum requirements for keys and have 
the shortest signature length, but are rare and inflexible, e-security gives guaran- 
teed security without the highest efficiency, but with the advantage of providing 
flexibility and a wide range of constructions. 

Proof of security for systems with complex security goals is generally difficult. 
We give two algebraic methods of constructing group-based 4-codes from sim- 
pler 4-codes. The constructions use polynomial codes where signature generation 
and verification can be expressed by evaluation of multivariate polynomials over 
a finite held Fq with q elements. We assume all polynomials are in Fq[xi, - ■ • x„], 
the ring of polynomials over the finite held Fq. Constructions Co and Ci are 
polynomial codes. Polynomial codes are generally efficient and often optimal. 

A polynomial code can be expressed in terms of polynomials generated by 
the trusted authority (TA) during the Key generation (KeyGen) phase. The 
signer receives a signing polynomial A(x, z) for generating signatures. Each re- 
ceiver Ui gets a verification polynomial and some identification information Ui. 
The identifier may be public (private) if the sender is trusted (distrusted). 
Signature generation (SigGen): The signature of a source s is a{z) = 
A{s,z). We assume authentication codes without secrecy so the signed message 
is (s, a{z)). 

Signature verification (SigVer): A receiver Ui accepts a signed message iff 
Oi(z)\2~u — ^iffi)\x—s- 

4.1 A Systematic Approach to Gonstructing Group 4-codes 

We use multiple instances of a component code, combined using powers of a 
single variable, or using distinct variables for each instance. We consider two 
synthesis algorithms, Ei and A' 2 . 

Synthesis Algorithm: 

KeyGen: The TA generates k + 1 instances of the component authentication 
code. For each instance j, a component signing key Aj{x,z) and component 
verification keys, Vij{x) for each verifier i are generated, such that Vij{x) = 
Aj{x,Ui) where Ui G Fg is Ui's identifier. The TA gives Uq the polynomial 

k 

B{x,z,y) = '^Aj{x,z)y^ 

j=o 

and each verifier Ui another identifier m', if necessary, and a polynomial 

k 

Wt{x) = '^Vtj{x){u'ffi = B{x,Ui,u'i) . 
j=o 
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SigGen: The signature of a source state s is a{z,y) = B{s,z,y). 

SigVer: A receiver Ui accepts a signed message iff a{z, y)\z=u ,y=u' = Wi{x)\x=s- 

Discussion and Example for 

Si can be used to construct codes that provide protection for multiple re- 
ceivers, construct asymmetric codes from symmetric codes, and construct dy- 
namic sender codes from single sender codes. 

We shall consider synthesis of an MRA-code from a two party A-code. The 
approach also be used to construct HSZIOO (dynamic sender) from a (e, w, n, Ia)- 
secure code providing protection against collusions of size w and t A-queries. 

Let the component code be Cq, where the signer has A(x) = a + bx and 
V{x) = A{x). Using Si we obtain an authentication code as follows. 

Key Gen: The TA generates k+1 instances of the code Cq, specified by Aj{x) = 
aj + xbj,0 < j < k. The TA gives Uq the polynomial 

k 

B{x,y) = '^{aj + bjx)y^ 
j=o 

and each verifier Ui an identifier Ui and verification polynomial 

k 

Wi{x) = + bix){uiy . 

j=o 

SigGen: The signature for a source state s is a{y) = B{s,y). 

SigVer: User Ui accepts (s,a{y)) iff = Wi{x)\x=s- 

The above construction is the same as the (e = 1/g, A:, n)-secure MRA- 
code of [4]. This follows since the signature generation function can be written 
as Bi{x,y) = = fiv) + ^9{y)- If is only known to the 

receiver, we have an {e,k,n)-MRA‘^ -code, with e = l/{q — k), since the signer 
cannot deny a signature. 

Synthesis Algorithm: S2 

KeyGen: The TA generates A: -I- 1 instances of the component authentication 
code. For instance j, a signing key Aj{x,z) and verification keys, Vij{x) = 
Aj(x,Ui), for each verifier i, are generated. The TA gives Uq the polynomial 

k 

A?(x,z,Y)=^A,(x,2)Y, 

j=o 

and each verifier Ui an identifier Ui, randomly generated vector Vi G also 

written as v, = (vio, vu, . . . ,Vik), and a verification polynomial 

k 

Wi{x) ='^Vij{x)vij . 

3=0 
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SigGen: The signature of a source state s is a{z,Y) = B{s,z,Y). 

SigVer: A receiver Ui accepts a signed message iff a|(z=„ ,y=vi) = Wi{x)\x=s 



Discussion and Example for S -2 

This algorithm allows one to construct asymmetric codes from symmetric ones, 
multireceiver codes from single receiver codes, or dynamic codes from single 
sender codes. Again we consider constructing an M RA-code from a two party 
A-code. As before we use Cq as the component code. 

KeyGen: The TA randomly generates fc + 1 instances of the code Cq, specified 
by the polynomial Aj{x) = aj + xhj,Q < j < k. The TA gives Uq the polynomial 

k 

B{x,Y)=Y,Aj{x)Y, 

i=o 

and each Ui an identifier Ui € Fg, a randomly generated vector Vi G F^+^, and 
a polynomial 

k 

Wi{x) = . 

i=o 

SigGen: The signature for a source state s is a(Y) = B{s,Y). 

SigVer: User Ui accepts (s,a(Y)) iff o;(Y)|Y=Vi = Wi{s). 

Theorem 1. The above construction is an {e,w,n)-MRA-code. The authenti- 
cator and key sizes for signer and user are fc + 1, 2{k + 1) and fc + 3 respectively. 
In this case e = \jq. 

Intuitively this result follows since each copy of the two party code provides 
security for a single colluder and for each colluder one copy of the code is added. 
Compared to Ci, obtained using Yi, this construction has a larger key size for 
verifiers but the same signer key size and the same signature length. 

Ui construction can also be used to provide protection against U-queries. 
This property will be used in synthesising SHZI02 (§4.3). To show this property 
we re-visit the construction above and show it can be seen as an (e, 0, n, 1, tvi = 
fc+1, tv <2 = fc)-secure code. That is, a code where signer is distrusted but verifiers 
are trusted. This is dual to traditional MRA-codes where the signer is trusted 
and verifiers collude. The most powerful attack is the signer’s denial attack 
against a verifier. The signer does not know the identity vector Vj and has 
to construct a pair (s, a'(Y)) such that (i) o;'(vj) = Wj{s') and (ii) a(vj) yf 
B{s, Y) . He can have k V 2 ~queries. The V\ queries give information about the key 
information of other verifiers only. The signer attempts to construct a message 
(s,a'(Y)) such that (i) o;'(vj) = Wj{s') and (ii) a(vj) yf B{s,Y). 

Each V 2 -query gives a tag OiY, 0 < f < fc — 1 such that o;i(vj) yf lUj(s'), i.e. 
a source state, tag pair unacceptable to Uj. The adversary can choose k a, so 
Qfi(vj) = a/(vj) if and only if f = ?, so each tag tests a different value against 
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Wj{s'). Each of the tags used reduces the possible values of Wj{s') by 1. Thus 
the probability of the adversary choosing a tag acceptable to Uj is e = l/{q — k). 

This shows one may apply S 2 to Co to obtain either a (e, k, n, 1, 0, 0)-secure 
or a (e, 0, n, 1, k + 1, /c)-secure code. Indeed, though we shall not give details here, 
the S 2 synthesis gives an (e, fci, n, 1, fe + 1, fe)-secure code, where ki + k 2 = k. 



4.2 Construction of USDS 

S 2 can be applied to the A^-code and A^-codes in [9] to construct MRA^ 
and MRA^-codes from Ci. We omit the details and instead show how to use 
a synthesis approach similar to Si on source states rather than on identities 
to synthesise MRA^ and MRA^ -codes that protect against higher number of 
queries. That is we show how to construct a (e, w, n, Ia, 0, 0)-secure code from a 
(e, w, n, 1, 0, 0)-secure code. A similar argument applies to MRA^-codes when 
the arbiter has the key information of a verifier. 

Theorem 2. The construction Ci is an (e,w,n) -secure MRA^-code if Ui are 
known only to Ui. We have e = w/{q — w). 

We call this construction Cf. The security proof uses the knowledge that the 
strongest collusion consists of the signer and w verifiers whose aim is to construct 
an authenticator a{x) (a polynomial of degree w) such that a{uj) = f{uj) + 
sg{uj) for some j. The result follows since while colluders know f(x) and g{x) 
they cannot determine the identity Uj of Uj. The construction guarantees e- 
security if for given security e and w we have q > w(l + 1/e). To construct an 
(e, w, n, t^)-secure M RA‘^-code we use tyi + 1 copies of Cf and apply a modified 
version of Si. (Similarly for MRA^ from Cf.) 

KeyGen: The TA generates t+l independent Cf, fi{x) + zgi{x), and gives Uq 

t t W 1 

B{x,y,z) = '^{fk{x) + zgk{x))y'^ = ^^^akijX^z^y'^ . 
fc— 0 k—0 i—0 j—0 

The TA gives verifier Ui a private Ui G Fg and B{ui,y, z). The arbiter has the 
key information of a verifier, that is B{ua, y, z) where Ua is the arbiters identifier. 
SigGen: The signature of a source state s G is a{x, z) = B{x, s, z). 

SigVer: User Ui accepts the message as authentic iff a\x=u = B{ui, y, Vz. 

The key sizes for the signer and each verifier are 2{t + l)(w + 1) and 2t + 
3, respectively. The tag length is 2{w + 1). As before appropriate choices of 
parameters can provide e-security for any chosen e. 

Theorem 3. The above construction is a M RA^ -codes that protects against t 
A-queries with e = w/{q — w). 

This code is similar to a generalised Ci construction given in [13, §5.1] as an 
MRA-code protecting against multiple A-queries. 




244 



Reihaneh Safavi-Naini, Luke McAven, and Moti Yung 



4.3 USDS Constructions: The SHZI02 Model 

SHZI02 gave a construction that satisfies their proposed ‘strongest security no- 
tion’. We construct a code with the same security level using the synthesis 
methodology above. The main advantage of this description is that the secu- 
rity proof can be straightforwardly derived from that of the underlying codes. 

The SHZI02 model uses the same setting as M RA^-codes. For an attack 
against Uj, by a collusion of w out of n verifiers, the adversary may have (i) 
t A-queries, (ii) t' V\ queries from each verifier other than Uj, and (Hi) t' — 1 
V 2 ~queries rejected by Uj. 

The synthesis has two steps: (i) constructing an (e, 0, 2, t, 0, 0)-secure code, 
and (ii) constructing a code with ,t' — l)-security. 

We start from Cq: a component code that is (e, 0, 2, 1, 0, 0)-secure. The key is 
a pair of random numbers (a, b) € shared by the signer and verifier. Using the 
synthesis akin to Ui, described in the previous section, we take t+1 copies, thus 
Ai(x) = Ui + biX, we obtain an (e, 0, 2, t, 0, 0)-secure code, where the polynomial 
held by the signer and by each verifier (noting they are still all trusted), is 

i 

B{x,y) = '^Ai{x)y^ = f{y) + xg{y) 

where f{y) = and g{y) = X) Lo ^iV"- 

The signature for a source state s is a{x) = B{x, s), and a message is accepted 
if a{x) = B{x,s). Let this (e, 0, 2, t, 0, 0)-secure code be the component code, 
and apply S 2 to t' + w + 1 copies Bi{x,y),d < i < t' + w. The TA gives Uq 

C{x,y,Y)^ J2B,{x,y)Y, 
j=o 

and verifier Ui a randomly chosen identity v, G and verifying polynomial 

W^{x,y) = C{x,y,Vi) = ^ Bj{x,y)vij . 

j=o 

SigGen: The signature for a source state s is a(a;, Y) = B{x,s,Y). 

SigVer: User Ui accepts (s,a(cc, Y)) iff o;(a;, Y)|Y=vi = Wi{x,y)\y=s,'^x. 

We may write the complete key of the signer as 

t 1 

C{x,y,Y) = ■ 

i—0 j—0 k—0 

This is the construction of SHZI02, satisfying the ‘strong security notion’ 
and constructed using Bi and U 2 . We used Bi to synthesise a t-message system 
from a 1-message code. We used E 2 to synthesise an asymmetric system secure 
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against collusions of up to size w, and t' ^-queries. Collusions may include the 
signer, or arbiter in our model, and the arbiter has a verifier’s key. 

SHZI02 note this code meets the 1/q bound on security, although it is not 
known to be optimal. Rather than starting with Cq we could omit the Si step 
and use an optimal (e, 0, 2, t, 0, 0)-secure code, with signer polynomial B{x) = 
Y^\^i)Aiy^ [9]. We omit details but synthesising this code using S 2 as above 
gives a {l/{q — t'),w, n, t, t' , t' — l)-secure code. The authenticator, signer’s and 
verifier’s keys sizes are, {w + t' + 1), {t+ l)('u; + t' + 1) and (w + t' + 1) + (t + 1), 
respectively, half those of the SHZI02 as formulated above. While information 
theoretic and combinatorial bounds are not yet known for these codes, it seems 
unlikely the construction of SHZI02, as developed above, is optimal. 

5 Generalised Authentication Codes 

A general setting for Generalised A-codes (GA-codes) consists of a set U of 
participants, each with some secret key information, such that any group member 
may sign a message and verify signed messages. To emphasise the new aspects 
of GA-codes, we assume there is one signer, the approach can be extended to 
dynamic signer systems. The set U contains n verifiers, an arbiter U a, and the 
signer [/q. Let Ex denote the set of all possible keys values held by a set X of 
participants. We use M{E) to denote the set of messages valid under all the 
keys in E. An adversary corrupts some subset of participants that will form a 
colluding set. We assume these sets are staticly determined. 

We consider codes without secrecy, where the authenticated message for a 
source state s can be written in the form (s, t), where t is a tag or authenticator. 

Generalised oracles: We generalise the oracles of section 3.1 by defining gen- 
eralised A-oracles and generalised V -oracles that can generate and verify, re- 
spectively, messages of defined type. 

Message type: We say a message m is of type r = , . . . , , . . . , e^- , ), if 

me {A?(eq)n...nA?(e, )}\{Al(ej J C . . . C , )} (1) 

where Ai{e) C Ai{e). In other words m is valid for (eq, . . . , Cj ) and not valid 
for {cj^, . . . ,6j ,). This captures exclusions of already ‘used’ queries from the 
message space. A message type is NULL if the types message space is empty. 

A (/A-oracle takes a source state and type t, and generates an authenticated 
message (source state followed by the signature) of type t, or outputs NULL, if 
it is not possible to generate such a message. A t/U-oracle takes a message m and 
a type r and produces a TRUE result if m is of type r, and FALSE otherwise. 

Since the status of a message with respect to the arbiter is also relevant, 
one may have messages known to be acceptable or unacceptable to the arbiter 
by considering inclusion in A4{eA). If the arbitration algorithm differs from the 
verification algorithm, arbiter queries need to be considered separately. 
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Collusion structure: The collusion structure is written as a pair (C, ^c), where 
C is a colluding set and <Pc determines the oracle queries accessible to C. The 
set <I>c contains a list of message types (j)i, multiplicities £i and a flag pi that 
determines if the query is made to the gA-oracle or to the (/R-oracle. For each 
i, £i messages of type 4>i may be queried to an oracle of type pi. Let TZ{4>i) be 
the set of input and response pairs associated with the (pi queries. 

A {e,w,n,t A, tv) threshold collusion structure is a collusion structure in 
which a colluding set contains at most w verifiers and has access to up to tA 
A-queries, up to — 1 V2~queries (from the targeted verifier) and up to ty Vi~ 
queries (from each other verifier). A collusion set may also include the signer, 
and/or the arbiter. 

The Goal of an attack is specified by the type of message to be constructed 
by the colluders. 

An Authentication Scenario cr(C) is defined by a set of participants, a col- 
lusion structure, and the protection the system can provide against colluder’s 
attacks. Performance of an authentication scenario against a colluding set C with 
goal type 7 is measured by the highest success chance of a collusion 

with message set (£>c- The success probability of such an attack is deflned as 

P(y; <£>c) = max max max P{m is of type ')\TZ{<pc)i ec) 

C e eE (p G<p 

where P{m{'j)\TZ{(pc),ec) is the probability of generating the message m of 
type 7 given queries with responses, TZ{pc) G ^(^c)j specified by the collusion 
structure cpc, and key information ec G Eq- We note that for (/A-queries only 
the space TZ reduces to the message space M{d>c), as below. 

Information Theoretic Bounds 

The attack probability bounds for A, , M RA, MRA^,t^^ and tMRA^ 

codes, at least may be concisely represented using authentication scenarios; 

P{j;<Pc) > '>'E , 



6 Concluding Remarks 

We proposed an extension of traditional A-codes and showed the resulting frame- 
work encompesses the recently proposed USDS schemes, and all the previously 
known ones, hence unifying all models and constructions in the area. Introducing 
the notion of U-queries suggests an interesting model for attacker’s strategy in 
A-codes not previously considered. This is hence a rich area for research. 

We also developed an algebraic method for synthesizing group A-codes from 
simpler component codes, which removes the shortcoming of previous synthesis 
constructions. We gave two general methods, called S\ and £'2, and gave an 
example construction using each. 

We believe our work Alls a gap in understanding USDS and provides a unified 
framework for USDS and their future extensions. 
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Abstract. In this paper, we first formalize the concept of ID-based iden- 
tification scheme. Secondly, we show a transformation from any digital 
signature scheme satisfying certain condition to an ID-based identifica- 
tion scheme. As an instance, we present the first provably secure ID-based 
identification scheme based on the hardness of discrete logarithm prob- 
lem. (More precisely, the hardness of gap Diffie-Hellman (GDH) prob- 
lem.) We further show that for the ID-based signature scheme which is 
obtained by the Fiat-Shamir heuristic, a tight security bound is easily 
derived due to our transformation. 

Key words: ID-based cryptography, signature scheme, identification 
scheme, GDH group 



1 Introduction 

1.1 On ID-based 

In the last few years, research on identity (ID)-based encryption schemes [4,8,5] 
and signature schemes [18,16,13,7] have been very active. In an ID-based scheme, 
the identity of each user is used as his public key string. Most of the schemes 
employed bilinear pairings in their constructions, motivated by the novel work 
of Boneh and Franklin [4] . 

On the other hand, an identification scheme enables prover holding a secret 
key to identify himself to a verifier holding the corresponding public key. Fiat and 
Shamir mentioned in the fundamental paper of identification scheme [11] that 
their scheme is ID-based. Since then, there have been a large number of practical 
identification protocols in the literature, to name a few [11,10,12,17,15]. However, 
to the best of our knowledge, there is no rigorous definition as well as security 
proof for “ID-based” identification schemes in the open literature. 



F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 248-261, 2004. 
(c) International Association for Cryptologic Research 2004 
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1.2 On Equivalences, Relationships, and Dualities 

Many current research focus on drawing equivalences, relationships and dualities 
between different primitives, and these discoveries lead to new understanding and 
novel constructions of the related primitives. 

For example, we have the paper on “From identification to signatures via 
Fiat-Shamir transform” by Abdalla et al. [1], where the idea was initially pre- 
sented by Fiat and Shamir in 1986 [11]. In [14], Kiayias and Yung introduced 
new design methodologies for group signatures that convert a traitor tracing 
scheme into a group signature scheme. 

1.3 Our Contribution 

In this paper, we first formalize the concept of ID-based identification scheme. 
The main differences of ID-based identification schemes from the usual identi- 
fication schemes are that: (1) The adversary can choose a target identity ID of 
her choice to impersonate as opposed to a random public key; (2) The adversary 
can possess private keys of some users which she has chosen. 

Note that Schnorr’s identification scheme [17] is not ID-based because each 
user must publicize his public key. (In other words, he cannot use his identity 
as his public key string.) In Guillou and Quisquater (GQ) identification scheme 
[12], each user can use his identity as his public key string. However, we cannot 
prove the security as mentioned above. Hence it is not ID-based, either. 

Secondly, we show a transformation from a digital signature scheme (DS) to 
an ID-based identification scheme, where we require that the signature scheme 
has a three-move honest verifier zero-knowledge proof on knowledge. We then 
prove that the resulting ID-based identification scheme is secure against im- 
personation under passive attacks if the underlying signature scheme is se- 
cure against existentially forgery on adaptive chosen message attacks. An ID- 
based identification scheme can be further transformed to an ID-based signature 
scheme, following the Fiat-Shamir transform paradigm [11,1]. That is, 

DS scheme ^ ID-based identification scheme ^ ID-based DS scheme. 

Tight security bounds are directly obtained by our transformation both for the 
ID-based identification scheme and the ID-based signature scheme if tight secu- 
rity proof is known for the underlying signature scheme. 

As an instance, we present the first provably secure ID-based identification 
scheme based on the hardness of discrete logarithm problem. More precisely, 
it is based on the hardness of GDH problem. Our scheme uses Boneh et al.’s 
short signature scheme as a building block where the security is based on the 
GDH groups [6]. Similarly to Schnorr’s (non ID-based) identification scheme, 
our scheme allows precomputation, reducing the real time computation of the 
prover to just one multiplication. It is thus particularly suitable for provers with 
limited computational ability. 

We can further obtain an ID-based signature scheme from the ID-based 
identification scheme. The resulting signature scheme coincides with Gha and 
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Cheon’s scheme [7]. However, we provide a tighter security bound due to our 
transformation: GDH signature scheme ^ ID-based identification scheme ^ 
ID-based signature scheme. This in turn improves the efficiency of the scheme 
since smaller modulus can be used for the same level of security. 

We also prove that the proposed ID-based identification scheme is secure 
against active attacks under the one-more DH assumption, where the one-more 
DH assumption is a natural analogue of the one-more RSA inversion assumption 
introduced in [2]. 

Finally, we point out that we can easily obtain GQ type ID-based identifica- 
tion/signature schemes by combining the Full Domain Hash RSA (FDH-RSA) 
signature scheme with our transformation. By using the result of Goron [9], tight 
security bound is further obtained. 

1.4 Organization 

The rest of the paper is organized as follows. Section 2.1 recalls the formal 
definition of digital signature schemes. We give the definition of GDH groups, 
following with the GDH signature scheme proposed by Boneh et al. [6] in Sec- 
tion 2.2. We present the formal model and the security definition of ID-based 
identification schemes in Section 3. Next, we show how to transform a digital 
signature scheme to an ID-based identification scheme in Section 4. A security 
analysis of the transformation follows in Section 4.3. Subsequently, in Section 5 
we present our proposed ID-based identification scheme and show that it is se- 
cure against impersonation under passive attacks. In Section 6 we present a tight 
security reduction of the ID-based signature scheme based on the GDH groups. 
In Section 7 we prove that the proposed ID-based identification scheme is also 
secure against active attacks under the one-more DH assumption. In Section 8 
we briefly discuss the applicability of our proposed transformation method to 
GQ schemes. We conclude the paper in Section 9. 

2 Digital Signature Scheme 

2.1 Definition 

The standard definition of digital signature schemes is decribed as follows. 

Definition 1. A digital signature scheme VS is denoted by a triple 
(Gen, Sign, Verify) of polynomial-time algorithms, called key generation algorithm, 
signing algorithm and verification algorithm, respectively. The first two algo- 
rithms are probabilistic. 

— Key Generation. On input 1^ (throughout this paper, k denotes the security 
parameter), the algorithm produces a pair of matching public and secret keys 
{pk, sk). 

— Signing. On input {sk, m), the algorithm returns a signature a = Signg^,(m), 
where m is a message. 
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— Verification. On input {pk,m,a), the algorithm returns 1 (accept) or 0 
(reject). We require that Verifypj.(m, cr) = 1 for all a ^ Signg^,(m). 

Security. We consider signature schemes that are secure against existential 
forgery under adaptive chosen message attacks. A forger F takes as input a public 
key pk, where (pk,sk) <— Gen(l^), and tries to forge signatures with respect to 
pk. The forger is allowed to query messages adaptively to the signing oracle to 
obtain the corresponding signatures. A valid forgery is a message-signature pair 
(m, a) such that Verifypj,(m, cr) = 1 but m has never been queried by F. 

Definition 2. We say that a digital signature scheme VS is {t,qs,e)-secure 
against existential forgery on adaptive chosen message attacks if for any forger 
F who runs in time t, 

Pr(i^ can output a valid forgery) < e, 

where F can make at most q$ signing queries. 

In the random oracle model, we consider a hash function FI as & random 
oracle. Definition 2 is naturally generalized to the random oracle model: We 
say that a digital signature scheme VS is (t, qsidH, e)-secure if the condition of 
Definition 2 is satisfied, where F can make at most qn random oracle queries. 

2.2 GDH Signature Scheme 

Boneh et al. proposed a signature scheme based on the GDH groups [6] . Let G 
be a (additive) cyclic group G generated by P with prime order q. 

Computational Diffie- Heilman (CDH) Problem. Given (P,aP,bP) for 
some a, 6 G Z*, compute abP. 

Decisional Diffie-Hellman (DDH) Problem. Given (P, aP, bP, cP) for some 
a,b,cG Z*, decide whether c = ab mod q. (We say that (P, aP, bP, cP) is a DH- 
tuple if c = a6 mod q.) 

We say that G is a GDH group if the GDH problem is hard, but the DDH 
problem is easy. 

Key Generation. On input 1^, generate an additive group G with prime order 
q where q is fc-bit long. Ghoose an arbitrary generator P G G. Pick a random 
s G Z* and set Q = sP. Ghoose a cryptographic hash function P[ : {0, 1}* ^ G. 
The public key is (P,Q,F[) and the secret key is s. 

Signing. Given the secret key s, a message m G {0, 1}*, compute the signature 
a = sFl(m). 

Verification. Given the public key (P,Q,H), a message m and a signature cr, 
compute Fl{m) and verify that (P, H{m), a) is a valid DH-tuple. 

GDH groups are defined formally as follows [6]. 

Definition 3. G is a r-decision group for Diffie-Hellman if the DDH problem 
can be computed in time at most t, where P Q is computed in one time unit. 
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Definition 4. The advantage of an algorithm A in solving the CDH problem in 
group G is 

AdvCDH^Ii/ Pt[A{P, aP, bP) = abP : a, b^Z*] 

where the probability is over the choice of a and b, and the coin tosses of A. We 
say that an algorithm A {t, e) -breaks CDH in G if A runs in time at most t, and 

AdvCDHyi > e. 



Definition 5. A prime order group G is a {r,t,f)-GDH group if it is a t- 
decision group for Diffie- Heilman and no algorithm ft, e)-breaks CDH on it. 

The security of the scheme is derived as follows. 

Proposition 1. [6, Theorem, page 517] If G is a {r,t' , e')-GDH group of order 
q, then the above GDH signature scheme is {t,qs,qH,i)- secure against existen- 
tially forgery on adaptive chosen-message attacks, where 

t>t'~ 2 ca log2 q{qH + qs), 

and CA is a small constant. Here e is the base of the natural logarithm. 

3 ID-based Identification Scheme 

In this section, we give a formal definition of ID-based identification schemes. 



3.1 Model 

An ID-based identification scheme I'D = {S,£,'P,V) is specified by four prob- 
abilistic polynomial-time (PPT) algorithms, called setup algorithm, extract al- 
gorithm, proving algorithm and verification algorithm, respectively. 'P and V 
are interactive algorithms that implement the prover and verifier, respectively. 
Alternatively we call {V, V) an identification protocol. 

— Setup. A probabilistic algorithm used by the private key generator (PKG) to 
set up all the parameters of the scheme. S takes as input 1^ and generates the 
global system parameters params and the master-key. The system parameters 
will be publicly known while the master-key will be known to the PKG only. 

~ Extract. A probabilistic algorithm used by the PKG to extract a private key 
corresponding to a given public identity. £ receives as input the master-key 
and a public identity ID, it returns the corresponding private key d. 

— Identification Protocol. 'P receives as input (params, ID, d) and V receives 
as input (params, ID), where d is the private key corresponding to the public 
identity ID. After an interactive execution of {'P,V), V outputs a boolean 
decision 1 (accept) or 0 (reject). A legitimate P should always be accepted. 
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Specifically, we consider the following ID-based identification scheme having 
three-move protocol which is commonly called canonical. 

1. V sends a commitment Cmt to V. 

2. V returns a challenge Ch which is randomly chosen from some set. 

3. V provides a response RSP. 

4. On input (params,ID,CMT,CH,Rsp), V accepts or rejects. 

3.2 Security 

The security of ID-based identification schemes is almost the same as the secu- 
rity of standard identification schemes. However, it must be strengthened a bit 
as follows: (1) The adversary can choose a public identity ID of her choice to 
impersonate as opposed to a random public key; (2) When an adversary attacks 
a public identity ID, she might already possess the private keys of some users 
IDi, ID 2 , . . . of her choice. The system should remain secure under such an at- 
tack. Hence, the definition must allow the adversary to obtain the private key 
associated with any identity ID^ of her choice (other than the public identity ID 
being attacked). 

The adversary goal is impersonation: an adversary succeeds if it interacts 
with the verifier in the role of a prover with public identity I D and can convince 
the verifier to accept with non-negligible probability. 

There are two type of attacks on the honest, private key equipped prover, 
namely passive attacks and active attacks. These attacks should take place and 
complete before the impersonation attempt. In the passive attacks, the adversary 
does not interact with the prover. What the adversary does is eavesdropping and 
she is in possession of transcripts of conversations between the prover and the 
verifier. In the active attacks, the adversary gets to play the role of a cheating 
verifier, interacting with the prover several times, in an effort to extract some 
useful information before the impersonation attempt. 

We describe the two-phase game between a passive (active) impersonator I 
and the challenger C . In Phase 1, the impersonator is allowed to make some 
extract queries. In addition, it can also make either some transcript queries (for 
passive attacks) or request to act as a cheating verifier (for active attacks). In 
Phase 2, I starts its impersonation attempt, plays the role as a cheating prover 
of a public identity ID of its choice, trying to convince the verifier. 

— Setup. The challenger takes as input and runs the setup algorithm S. It 
gives I the resulting system parameters params and keeps the master-key to 
itself. 

— Phase 1. 

1. / issues some extract queries IDi,ID 2 ,.... The challenger responds by 
running the extract algorithm £ to generate the private key di corre- 
sponding to the public identity ID^. It returns di to I. These queries may 
be asked adaptively. 

2. I issues some transcript queries (for passive attacks) on ID^ or requests to 
act as a cheating verifier corresponding to some I D^ (for active attacks) . 

3. The queries on step 1 and step 2 above can be interleaved. 
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— Phase 2. 1 outputs a challenge identity ID on which it wishes to impersonate 
whereby / can act as a cheating prover now, trying to convince the verifier. 

Definition 6. We say that an ID-based identification scheme I'D is (t,qi,e)- 
secure under passive (active) attacks if for any passive (active) impersonator I 
who runs in time t, 

Pr(J can impersonate) < e, 
where I can make at most qi extract queries. 

4 Transformation from T>S to I'D 

In this section, we show a transformation of a digital signature scheme DS to an 
ID-based identification scheme ID. First, we state the requirement that a digital 
signature scheme DS must fulfill. Next, we present the transformation following 
by the security analysis. 



4.1 Requirement for DS 

We require that a digital signature scheme DS has a canonical (three-move) 
zero-knowledge interactive proof system (ZKIP) on knowledge of signatures as 
follows. 

Let pk be a public key, m be a message and cr be a signature on m. 
The common input to (P,V) is {pk,m). The secret input to P is cr. Let 
view =(Cmt,Ch,Rsp) be a transcript of the conversation between (P,V). Let 
View be the random variable induced by view. We say that (Cmt,Ch,Rsp) is 
acceptable if V accepts it. 

Definition 7. We say that a digital signature scheme DS has a A- challenge 
zero-knowledge (ZK) protocol if there exists a canonical protocol (P,V) as fol- 
lows. For any (pk,m), 

Completeness. If P knows a, then Pr(P accepts) = 1 . 

Soundness. — The number of possible challenge Ch is equal to A. 

— a is computed efficiently from any two acceptable transcripts 
("Cmt,Chi,Rspi j and ('Cmt,Ch2,Rsp2J such that Chi yfCH2. 
Zero-knowledgeness. (P, V) is perfectly ZK for the honest verifier. That is, 
there exists a simulator S such that its output follows the same probability 
distribution as View. 



4.2 Transformation 

Any digital signature scheme DS = (Gen, Sign, Verify) satisfying the above re- 
quirement can be used as a building block to implement a canonical ID-based 
identification scheme ID = {S,S,V,V). 
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Firstly, we point out the similarities between T>S and TV and make a com- 
parison between the algorithms associated with them. The setup algorithm S 
performs similar operations as the key generation algorithm Gen. Indeed, both 
of them take as input and generate: 

— params or pk, respectively the system parameters or public key. 

— master-key or sk, that will be used by the PKG in the extract algorithm or 
as a signing key by the user. 

Thus, we can view that params = pk and master-key = sk. 

The extract algorithm £ is similar to the signing algorithm Sign. They take 
ID and m, respectively, as input and produce the corresponding private key d 
and signature a, respectively. In other words, we can set that ID = m and d = a. 

Now in TV, the prover V holds a secret key d = a corresponding to his 
public identity ID. Then V and V runs the Z\-challenge ZK protocol of VS. We 
give the detail description as follows: 

Setup. On input 1^, S generates params = pk and master-key = sk using Gen. 
Extract. For a given public identity \D = m, £ uses Sign to generate the corre- 
sponding private key d = a, hy using the master-key = sk. 

Identification Protocol. The prover and verifier perform the Z\-challenge ZK 
protocol of VS and obtain the protocol as depicted in Fig. 1. 

Prover Verifier 

Input: d = a Input: (params = pk, ID = m) 



Cmt 



Ch 



Ch ^ As,t 



Rsp 



Dec <— V(params, ID,Cmt,Ch,Rsp) 



Fig. 1. A canonical ID-based identification protocol 



4.3 Security Analysis 

Theorem 1. Let VS = (Gen, Sign, Verify) he a digital signature scheme which 
has a A-challenge ZK protocol. Let TV = {S,£,V,V) he the associated canonical 
ID-hased identification scheme as per the transformation shown above. Then TV 
is {t, qi, e)-secure against impersonation under passive attacks if VS is ft' , qs, e')- 
secure against existential forgery on adaptive chosen message attacks, where 

t > ft' / 2) - poly {k), qi = qs, e < Vs + (1/A). 
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Proof. (Sketch) Let / be an impersonator who (t, qi, e)-breaks the ID-based iden- 
tification scheme I'D. Then we will show that DS is not (t', gs, e')-secure. That 
is, we will present a forger F who (t', gs, e')-breaks the signature scheme DS . 

The forger F receives pk as its input. It then gives pk to the impersonator I. In 
Phase 1, the impersonator / starts the extract queries. If / issues an extract query 
IDi, then the forger F queries ID^ to its signing oracle. F forwards the answer 
di = (Ji of the signing oracle to I. These queries may be asked adaptively. / also 
issues some transcript queries on ID^. Since DS has a Z\-challenge ZK protocol, 
there exists a simulator S whose output follows the same distribution as View. 
If I issues a request ID^, T’ runs the simulator S on input {pk, ID^). Suppose that 
S outputs (CMTi,CHi,RsPi). Then F gives it to I. 

Some time later, I decides that Phase 1 is over and it outputs a public identity 
ID on which it wishes to be challenged. / plays the role as the cheating prover, 
trying to convince the verifier V that she is the holder of public identity ID. F 
plays the role as V. Immediately after the first run, F resets the prover / to after 
the step whereby I has sent the message CmTi. F then runs the protocol again. 
Let the conversation transcripts for the first run and second run be (Cmt,Ch, 
Rsp) and (Cmt,Ch’, Rsp’), respectively. Based on the Reset Lemma proposed 
by Bellare and Palacio in [3], we can extract the private key d = a from the two 
conversation transcripts with probability more than (e — 1/Z\)^. 

Finally, when the impersonator I outputs cr, the forger F returns the message- 
signature pair (ID,(t) as its forgery. Thus it is clear that 

t' < 2t + poly{k), qs = qi, e > {e - 

□ 



5 Proposed ID-based Identification Scheme 

In this section, we show the first provably secure ID-based identification scheme 
by applying our transformation to the GDH signature scheme. 

5.1 < 7 -Challenge ZK Protocol 

We first show that the GDH signature scheme as described in Section 2.2 satisfies 
the requirement in Section 4.1. 

Theorem 2. The GDH signature scheme has a q-challenge ZK protocol. 

Proof. For the GDH signature scheme, we show a three-move canonical protocol 
{P, V) which satisfies the requirement in Section 4.1. 

1. P chooses r € Zq randomly and sends x = rH{m) to V. 

2. V chooses c G Zq randomly and sends c to P. 

3. P computes y = {r + c)a and sends y to V. 

4. V accepts if and only if {P, Q,x + cH{m),y) is a DH-tuple. 
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It is clear that the above protocol satisfies the completeness. The soundness 
is proved as follows. Suppose that (a;,ci,yi) and (x, 02 , 2 / 2 ) are two acceptable 
conversations. Then it holds that 

X + CiH{m) = liP, yi = l\Q 

X + C2H{m) = I2P, U2 = hQ 
for some h and ^ 2 - From the above equations, we obtain 

(c 2 - ci)H{m) = {I2 - h)P and t /2 - 2/i = {k ~ h)Q- 

This shows that cr = (c 2 — ci)“^(j /2 — t/i) is a signature on to. (Recall that Q = sP 
and cr = sH{m).) 

Finally, we show a simulator S. The purpose of S is to output (x,c,y) 
such that {P,Q,x + cH{m),y) is a DH-tuple. That is, (P,Q,x + cH{m),y) = 
(P,Q,IP,IQ) for some 1. Hence S chooses I G Zq and c G Zq randomly. S then 
outputs {IP — cH{m),c, IQ). Thus we have shown that (P, V) is perfect ZK for 
the honest verifier. □ 



5.2 ID-based Identification Scheme Based on GDH 

We can then obtain an ID-based identification scheme immediately from Section 
4.2. Let XT> = (5,£,P, V) be four PPT algorithms as follows. 

Setup. On input 1^, generate an additive group G with prime order q. Choose an 
arbitrary generator P G G. Pick a random s G Zq and set Ppub = sP. Choose a 
hash function H : {0, 1}* ^ G. Let the system parameters params = (P, Ppub, H) 
and the master-key is s which is known to the PKG only. 

Extract. Given a public identity ID, compute the corresponding private key 
d\D = sQid where Qid = iL(ID). 

Identification Protocol. 

1. P chooses r € Zq randomly, computes U = rQ\o and sends U to V. 

2. V chooses c & Zq randomly and sends c to P. 

3. V computes V = {r + c)d\o and sends V to V. 

4. V verifies whether (P, Ppub,U + cQ\d, V) is a DH-tuple. 

Remark. Note that params is the public key of the GDH signature scheme and 
s is the secret key. dio is the signature on a message ID. 



5.3 Security Against Passive Attacks 

From Theorem 1 and Theorem 2, it is clear that the above ID-based identifi- 
cation scheme is secure against passive attacks if the GDH signature scheme is 
secure against existential forgery on adaptive chosen message attacks. The lat- 
ter is indeed the case as shown in Proposition 1. Therefore, the above ID-based 
identification scheme is secure against passive attacks. 
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By combining these results quantitatively, we can obtain the concrete secu- 
rity. The security definition is generalized to the random oracle model as follows. 
We say that an ID-based identification scheme 2V is {t,qi,qH,e)-secure under 
passive (active) attacks if the condition of Definition 6 is satisfied, where the 
impersonator I can make at most qn random oracle queries. (We can prove the 
random oracle version of Theorem 1 easily, where both F and / use the same 
random oracle H. If / makes a random oracle query, then F makes the same 
query to F[ and sends the obtained answer to /.) 

Theorem 3. If G is a {T,t' ,e')-GDH group, then the above ID-based identifica- 
tion scheme is {t,qi,qH,e)-secure under passive attacks, where 

t > (t'/2) - CA log2 q{qH + qi) ~ poly{k), 
e < \/ 2eqie' + (1/g), 

and ca is a small constant. Here e is the base of the natural logarithm. 

6 ID-based Signature Scheme Based on GDH 

We can further transform our proposed ID-based identification scheme to an ID- 
based signature scheme. This transformation is direct as in other Fiat-Shamir 
transformations except that it involves ID-based transformation. 

The resulting signature scheme coincides with Cha and Cheon’s scheme [7]. 
However, we can give a much tighter security reduction due to our transfor- 
mation: GDH signature scheme ^ ID-based identification scheme ^ ID-based 
signature scheme. This in turn improves the efficiency of the scheme since smaller 
modulus can be used for the same level of security. (In [7], the security proof 
relies on the forking lemma. Hence the reduction is not tight and the proof is 
very complicated.) 



6.1 Scheme 

Setup. On input 1^, generate an additive group G with prime order q. Choose 
an arbitrary generator P G G. Pick s G Z* randomly and set Ppub = sP. Choose 
two cryptographic hash functions: H : {0, 1}* ^ G, Hi : {0, 1}* x G ^ Zq. Let 
the system parameters, params = (P, Ppub, H, Hi) and the master-key is s which 
is known to the PKG only. 

Extract. Given a public identity ID, compute the corresponding private key 
d\D = sQ\d where Qid = i7(ID). 

Signing. Given the private key diD and a message m, pick a random number 
r G Zq. Return the signature a = {U,V) where U = rQ\o,c = Hi{m,U) and 
V = {r + c)d\u. 

Verification. Given the system parameters params = {P, Ppub, H, Hi), a mes- 
sage TO and a signature a = {U,V) for an identity ID, compute c = Hi{m,U) 
and verify that (P, Ppub, U -\- cQ\o, V) is a valid DH-tuple. 




From Digital Signature to ID-based Identification/Signature 259 



6.2 Security 

The security definition of ID-based digital signature schemes is given in [7]. We 
say that an ID-based digital signature scheme is (t, qi,qs,qH, qHi , e)-secure if for 
any forger F who runs in time t, 

Pr(_F can output a valid forgery) < e, 

where F can make at most qj extract queries, at most qs signing queries and at 
most qn and qni queries to the random oracle H and FIi, respectively. 

Then from Theorem 3 and Lemma 1 of [1], we can obtain the following 
theorem. 

Theorem 4. If G is a {T,t' ,e')-GDH group, then the ID-based GDH signature 
scheme is {t,qi,qs,qH,qHi,^)-secure, where 

t > (t'/2) - CA log2 q{qH + Qi) ~ Poly{k), 

/ (1 + 9 ffi)( 9 V 2 eg/e' -b 1) + (1 + qni + qs)qs 
^ — 1 

q 

and CA is a small constant. Here e is the base of the natural logarithm. 

7 Security Against Active Attacks of the Proposed 
ID-based Identification Scheme 

In this section, We show that our proposed ID-based identification scheme as 
described in Section 5.2 is secure against active attacks if the one-more DH 
problem is hard, where the one-more DH assumption is a natural analogue of 
the one-more RSA inversion assumption which was first introduced in [2]. The 
same assumption and the discrete-log related assumption were later used in [3] 
to prove the security against impersonation under active and concurrent attacks 
for GQ and Schnorr identification schemes, respectively. 

7.1 One-More DH Assumption 

We briefly describe the one-more DH adversary. An one-more DH adversary is 
a randomized, polynomial-time algorithm M that gets input (P, Ppub = sP) 
and has access to two oracles, namely the DH-oracle that given Q G G returns 
sQ G G and a challenge oracle that each time it is invoked (it takes no input), 
returns a random challenge point W G G. 

First, run M{P, Ppub) with its oracles. Let Wi, . . ., Wn denote the challenges 
returned by M’s challenge oracle. M can ask at most n — 1 DH-oracle queries. 
We say that M wins if its output is a sequence of points sW\ , . . . , sWn G G, 
meaning M solves the DH problem of all the challenge points. In other words, 
the one-more DH assumption states that it is computationally infeasible for the 
adversary to solve the DH problem of all the challenge points if its DH-oracle 
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queries are strictly less than its challenge oracle queries. (When the adversary 
makes one challenge query and no DH-oracle queries, this is the standard DH 
assumption.) 

We say that the one-more DH problem is {t, e)-hard if Pr(M wins) < e for 
any M which runs in time t. 

7.2 Security Proof 

Theorem 5. Let H he a random oracle from {0, 1}* to G. If the one-more DH 
problem is ft' ^e') -hard, then the ID-based identification scheme is {t,qi,qH,e)- 
secure against active attacks, where 

t > (t'/2) -polyfk), e < yje{l + qi)e' + (1/g). 

The proof will be given in the full version of the paper. 



8 ID-based Variants of GQ Schemes 

GQ identification scheme is not ID-based as mentioned in Section 1.3. However, 
we can easily obtain an ID-based variant of GQ identification scheme by com- 
bining the FDH-RSA signature scheme with our transformation. Further, Goron 
showed a very tight security proof for the FDH-RSA signature scheme [9] . Hence 
we can obtain a tight security proof for the ID-based variant of GQ identification 
scheme directly from Theorem 1. Similarly, we can obtain an ID-based variant 
of GQ signature scheme. In particular, they are obtained by our transformation: 
RSA signature ^ ID-based GQ identification scheme ^ ID-based GQ signature. 
The details will be given in the full version of the paper. 

9 Conclusion 

We have formalized the concept of ID-based identification scheme. We have 
also presented a transformation from any digital signature scheme having a A- 
challenge ZK protocol to an ID-based identification scheme. A concrete example 
is given based on Boneh et al.’s GDH signature scheme. Eventually, by using 
Fiat-Shamir transformation, we reached at an ID-based signature scheme which 
is coincided with Gha and Gheon’s scheme. However, we can achieve a tighter 
security reduction due to our transformation. 
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Abstract. In this paper, we examine issues related to the construc- 
tion of identity-based threshold decryption schemes and argue that it is 
important in practice to design an identity-based threshold decryption 
scheme in which a private key associated with an identity is shared. A 
major contribution of this paper is to construct the hrst identity-based 
threshold decryption scheme secure against chosen-ciphertext attack. A 
formal proof of security of the scheme is provided in the random oracle 
model, assuming the Bilinear Difiie-Hellman problem is computation- 
ally hard. Another contribution of this paper is, by extending the pro- 
posed identity-based threshold decryption scheme, to construct a me- 
diated identity-based encryption scheme secure against more powerful 
attacks than those considered previously. 



1 Introduction 

Threshold decryption is particularly useful where the centralization of the power 
to decrypt is a concern. And the motivation of identity (ID)-based encryption 
originally proposed by Shamir [17] is to provide confidentiality without the need 
of exchanging public keys or keeping public key directories. A major advantage 
of ID-based encryption is that it allows one to encrypt a message by using a 
recipient’s identifiers such as an email address. 

A combination of these two concepts will allow one to build an “ID-based 
threshold decryption” scheme. One possible application of such a scheme can 
be considered in a situation where an identity denotes the name of the group 
sharing a decryption key. As an example, suppose that Alice wishes to send a 
confidential message to a committee in an organization. Alice can first encrypt 
the message using the identity (name) of the committee and then send over the 
ciphertext. Let us assume that Bob who is the committee’s president has created 
the identity and hence has obtained a matching private decryption key from the 
Private Key Generator (PKG). Preparing for the time when Bob is away, he can 
share his private key out among a number of decryption servers in such a way 
that any committee member can successfully decrypt the ciphertext if, and only 
if, the committee member obtains a certain number of decryption shares from 
the decryption servers. 
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Another application of the ID-based threshold decryption scheme is to use 
it as a building block to construct a mediated ID-based encryption scheme [7]. 
The idea is to split a private key associated with the receiver Bob’s ID into two 
parts, and give one share to Bob and the other to the Security Mediator (SEM). 
Accordingly, Bob can decrypt a ciphertext only with the help of the SEM. As 
a result, instantaneous revocation of Bob’s privilege to perform decryption is 
possible by instructing the SEM not to help him any more. 

In this paper, we deal with the problem of constructing an ID-based threshold 
decryption scheme which is efficient and practical while meets a strong security 
requirement. We also treat the problem of applying the ID-based threshold de- 
cryption scheme to design a mediated ID-based encryption scheme secure against 
more powerful attacks than those considered previously in the literature. 

2 Preliminaries 

We first review the “admissible bilinear map” , which is the mathematical prim- 
itive that plays on central role in Boneh and Franklin’s ID-based encryption 
scheme [5]. 

Bilinear Map. The admissible bilinear map e [5] is defined over two groups 
of the same prime-order q denoted by Q and IF in which the Computational 
Diffie-Hellman problem is hard. (By Q* and Z*, we denote Q \ {O} where O is 
the identity element of Q, and Zq \ {0} respectively.) We will use an additive 
notation to describe the operation in Q while we will use a multiplicative notation 
for the operation in T . In practice, the group Q is implemented using a group of 
points on certain elliptic curves, each of which has a small MOV exponent [15], 
and the group T will be implemented using a subgroup of the multiplicative 
group of a finite field. The admissible bilinear map, denoted by e : ^ x ^ ^ IF, 
has the following properties. 

— Bilinear: e(ai?i, 6 i? 2 ) = e(i?i, where i?i,i ?2 € Q and o, 6 G 2Z*q. 

— Non-degenerate: e does not send all pairs of points in ^ x ^ to the identity 

in T . (Hence, if i? is a generator of Q then e(i?, i?) is a generator of IF.) 

— Computable: For all i?i, i ?2 G Q, the map e(i?i, A 2 ) is efficiently computable. 

Throughout this paper, we will simply use the term “Bilinear map” to refer 
to the admissible bilinear map defined above. 

The “Basicldent” Scheme. We now describe Boneh and Franklin’s basic ver- 
sion of ID-based encryption scheme called “Basicldent” which only gives semantic 
security (that is, indistinguishability under chosen plaintext attack). 

In the setup stage, the PKG specifies a group Q generated hy P € Q* and the 
Bilinear map e \ QxQ ^ T.lt also specifies two hash functions Hi : {0, 1}* — > Q* 
and H 2 : IF ^ {0, 1}^, where I denotes the length of a plaintext. The PKG then 
picks a master key x uniformly at random from Z* and computes a public 
key IpKG = xP. The PKG publishes descriptions of the group Q and T and 
the hash functions Hi and H 2 . Bob, the receiver, then contacts the PKG to get 
his private key Did = xQvd where Qid = Hi (ID). Alice, the sender, can now 
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encrypt her message M G {0, 1}* using Bob’s identity ID by computing U = rP 
and V = H 2 (e(QiD, Ypkg)’^) © M, where r is chosen at random from and 
Qid = Hi (id). The resulting ciphertext C = {U, V) is sent to Bob. Bob decrypts 
C by computing M = V ® H 2 (e(HiD, U)). 

3 Related Work and Discussion 

Boneh and Franklin’s “Distributed PKG”. In order to prevent a single PKG from 
full possession of the master key in ID-based encryption, Boneh and Franklin [5] 
suggested that the PKG’s master key should be shared among a number of PKGs 
using the techniques of threshold cryptography, which they call “Distributed 
PKG”. More precisely, the PKG’s master key x is distributed into a number 
of PKGs in such a way that each of the PKG holds a share Xi G Z* of a 
Shamir’s (t, n)-secret-sharing [16] of x G Z* and responds to a user’s private 
key extraction request with = XiQw, where Qid = Hi(ID). If the technique 
of [11] is used, one can ensure that the master key is jointly generated by PKGs 
so that the master key is not stored or computed in any single location. 

As an extension of the above technique, Boneh and Franklin suggested that 
the distributed PKGs should function as decryption servers for threshold de- 
cryption. That is, each PKG responds to a decryption query C = {U, V) in 
Basicldent with e{xiQio,U). However, we argue that this method is not quite 
practical in practice since it requires each PKG to be involved at all times (that 
is, on-line) in the generation of decryption shares because the value “[/” changes 
whenever a new ciphertext is created. Obviously, this creates a bottleneck on the 
PKGs and also violates one of the basic requirements of an ID-based encryption 
scheme, “the PKG can be closed after key generation” , which was envisioned by 
Shamir in his original proposal of ID-based cryptography [17]. Moreover, there 
is a scalability problem when the number of available distributed PKGs is not 
matched against the number of decryption servers required, say, there are only 
3 available PKGs while a certain application requires 5 decryption servers. 

Therefore, a better approach would be sharing a private key associated with 
an identity rather than sharing a master key of the PKG. In addition to its 
easy adaptability to the situation where an identity denotes a group sharing a 
decryption key as described in Section 1, an advantage of this approach is that 
one can fully utilize Boneh and Franklin’s Distributed PKG method without the 
above-mentioned scalability problem, dividing the role of “distributed PKGs” 
from that of “decryption servers”. That is, an authorized dealer (a representa- 
tive of group, such as “Bob” described in Section 1, or a single PKG) may ask 
an identity to each of the “distributed PKGs” for a partial private key associ- 
ated the identity. Having obtained enough partial private keys, the dealer can 
construct the whole private key and distribute it into the “decryption servers” 
in his domain at will while the master key remains secret from any parties. 

Other Related Work on ID-Based Threshold Decryption. To our knowledge, 
other papers that have treated “threshold decryption” in the context of ID-based 
cryptography are [8] and [13]. Dodis and Yung [8] observed how threshold de- 
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cryption can be realized in Gentry and Silverberg [12] ’s “hierarchical ID-based 
encryption” setting. Interestingly, their approach is to share a private key (not 
the master key of the PKG) obtained from a user at a higher level. Although this 
was inevitable in the hierarchical ID-based encryption setting and its advantage 
in general ID-based cryptography was not mentioned in [8], it is more sound 
approach than sharing the master key of the PKG as we discussed above. How- 
ever, their threshold decryption scheme is very-sketched and chosen-ciphertext 
security for the scheme was not considered in [8]. More recently, Libert and 
Quisquater [13] also constructed an ID-based threshold decryption scheme. How- 
ever, their approach was to share a master key of the PKG, which is different 
from ours. Moreover, our scheme gives chosen ciphertext security while Libert 
and Quisquater’s scheme does not. 

4 Security Notion for ID-based Threshold Decryption 

4.1 Description of Generic ID-based Threshold Decryption 

A generic ID-based threshold decryption scheme, which we denote by Ttl?” , 

consists of algorithms GK, EX, DK, E, D, SV, and SC. Below, we describe each 
of the algorithms. 

Like other ID-based cryptographic schemes, we assume the existence of a 
trusted PKG. The PKG runs the key/common parameter generation algorithm 
GK to generate its master/public key pair and all the necessary common pa- 
rameters. The PKG’s public key and the common parameters are given to every 
interested party. 

On receiving a user’s private key extraction request which consists of an 
identity, the PKG then runs the private key extraction algorithm EX to generate 
the private key associated with the requested identity. 

An authorized dealer who possesses the private key associated with an iden- 
tity can run the private key distribution algorithm DK to distribute the private 
key into n decryption servers. DK makes use of an appropriate secret-sharing 
technique to generate shares of the private key as well as verification keys that 
will be used for checking the validity of decryption shares. Each share of the 
private key and its corresponding verification key are sent to an appropriate de- 
cryption server. The decryption servers then keep their private key shares secret 
but publish the verification keys. It is important to note here that the entity 
that runs DK can vary flexibly depending on the cryptographic services that the 
PKG can offer. For example, if the PKG has an only functionality of issuing 
private keys, the authorized dealer that runs DK would be a normal user (such 
as Bob in the example given in Section 1) other than the PKG. However, if the 
PKG has other functionalities, for example, organizing threshold decryption, the 
PKG can run DK. 

Given a user’s identity, any user that wants to encrypt a plaintext can run 
the encryption algorithm E to obtain a ciphertext. A legitimate user that wants 
to decrypt a ciphertext gives it to the decryption servers requesting decryption 
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shares. The decryption servers then run the decryption share generation algo- 
rithm D taking the ciphertext as input and send the resulting decryption shares 
to the user. Note that the validity of the shares can be checked by running the 
decryption share verification algorithm SV. When the user collects valid decryp- 
tion shares from at least t servers, the plaintext can be reconstructed by running 
the share combining algorithm SC. 



4.2 Chosen Ciphertext Security for ID-based Threshold Decryption 

We now define a security notion for the TVT TiT) scheme against chosen-cipher- 
text attack, which we call “IND-IDTHD-CCA” . 

Definition 1 (IND-IDTHD-CCA). Let be an attacker assumed to be 
a probabilistic Turing machine. Suppose that a security parameter k is given 
to as input. Now, consider the following game in which the attacker A^'-'^ 
interacts with the “Challenger” . 

Phase 1: The Challenger runs the PKG’s key/common parameter generation algo- 
rithm taking a security parameter k as input. The Challenger gives the result- 
ing common parameter cp which includes the PKG’s public key pkpKG- However, 
the Challenger keeps the master key sfepKG secret from A'"'"'*'. 

Phase 2: A*"'"^ issues a number of private key extraction queries. We denote each 
of these queries by ID. On receiving the identity query ID, the Challenger runs the 
private key extraction algorithm on input ID and obtains a corresponding private 
key skiD- Then, the Challenger returns skm to A'"'"'^. 

Phase 3: A'"'"'*' corrupts t — I out of n decryption servers. 

Phase 4: A'"'"'*' issues a target identity query ID*. On receiving ID*, the Challenger 
runs the private key extraction algorithm to obtain a private key skio* associated 
with the target identity. The Challenger then runs the private key distribution algo- 
rithm on input skio* with parameter (t,n) and obtains a set of private/ verification 
key pairs {(sfciD* ,wfciD* )}, where 1 < i < n. Next, the Challenger gives A'-'-'^ 
the private keys of corrupted decryption servers and the verifications keys of all 
the decryption servers. However, the private keys of uncorrupted servers are kept 
secret from A'"'”'^. 

Phase 5: A*"*"^ issues arbitrary private key extraction queries and arbitrary de- 
cryption share generation queries to the uncorrupted decryption servers. We denote 
each of these queries by ID and C respectively. On receiving ID, the Challenger 
runs the private key extraction algorithm to obtain a private key associated with 
ID and returns it to A*"'”'^. The only restriction here is that A'"'"'*' is not allowed to 
query the target identity ID* to the private key extraction algorithm. On receiving 
C, the Challenger runs the decryption share generation algorithm taking C and 
the target identity ID* as input to obtain a corresponding decryption share and 
returns it to A'"'"^. 

Phase 6: A*"*”^ outputs two equal- length plaintexts (Mq, Mi). Then the Challenger 
chooses a bit f3 uniformly at random and runs the encryption algorithm on input 
cp, Mp and ID* to obtain a target ciphertext C* = E(cp, ID*, M,g). Finally, the 
Challenger gives (C*, ID*) to A*"'"^. 

Phase 7: A*"'"'^ issues arbitrary private key extraction queries and arbitrary de- 
cryption share generation queries. We denote each of these queries by ID and C 
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respectively. On receiving ID, the Challenger runs the private key extraction algo- 
rithm to obtain a private key associated with ID and returns it to As Phase 

5, the only restriction here is that A'"'"'*' is not allowed to query the target iden- 
tity ID* to the private key extraction algorithm. On receiving C, the Challenger 
runs the decryption share generation algorithm on input C to obtain a correspond- 
ing decryption share and returns it to A'"’"'*'. Differently from Phase 5, the target 
ciphertext C* is not allowed to query in this phase. 

Phase 8: A'-'-'^ outputs a guess P G {0, 1}. 

We define success as a function = 2 • Pr[/3 = 

(3] — 1. The ID-based threshold decryption scheme ’IV'TT-CI) is said to be IND- 
IDTHD-CCA secure if, for any attacker A^^'^ whose running time is polynomially 
bounded, is negligible in k. 

5 Our ID-based Threshold Decryption Scheme 

5.1 Building Blocks 

First, we present necessary building blocks that will be used to construct our ID- 
based threshold decryption scheme. We remark that since our ID-based threshold 
decryption scheme is also of the Diffie-Hellman (DH)-type, it follows Shoup 
and Gennaro [18] ’s framework for the design of DH-based threshold decryption 
schemes to some extent. However, our scheme has a number of features that 
distinguishes itself from the schemes in [18] due to the special property of the 
underlying group Q. 

Publicly Checkable Encryption. Publicly checkable encryption is a particu- 
larly important tool for building threshold decryption schemes secure against 
chosen-ciphertext attack as discussed by Lim and Lee [14]. The main reason is 
that in the threshold decryption, the attacker has decryption shares as additional 
information as well as a ciphertext, hence there is a big chance for the attacker 
to get enough decryption shares to recover the plaintext before the validity of 
the ciphertext is checked. (Readers are referred to [14] and [18] for more detailed 
discussions on this issue.) 

The public checkability of ciphertexts in threshold decryption schemes is usu- 
ally given by non-interactive zero-knowledge (NIZK) proofs, e.g., [18,10]. How- 
ever, we emphasize that in our scheme, this can be done without a NIZK proof, 
by simply creating a tag on the ElGamal [9] ciphertext as follows. 

Let M G {0, 1}^ be a message. Then, encrypt M by creating a ciphertext 
C = {U,V,W) = (rP,H 2 (/c) 0 M, rH 3 ([/, y)) where k = e(Hi(lD), Ipkc)*^ for 
hash functions Hi : {0,1}* ^ Q*, H 2 : P ^ {0,1}^, and H 3 : 5* x {0,1}^ ^ 
Q* . Without recovering M during the decryption process (that is, leaving the 
ciphertext C intact), the validity of C can be checked by testing if e{P,W) = 
e{U, H 3 ), where H 3 = H 3 ([/, V) G G* ■ Note that this validity test exploits the fact 
that the Decisional Diffie-Hellman (DDH) problem can be solved in polynomial 
time in the group Q, and passing the test implies that (P, U, Pf^, W) is a Diffie- 
Hellman tuple since (P, U, P 3 , W) = (P, rP, sP, rsP) assuming that Hz = sP Gr 
G* for some s G Z*. 
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Sharing a Point on Q. In order to share a private key Dto S Q, we need some 
trick. In what follows, we present a Shamir’s (t, n)-secret-sharing over Q. 

Let g be a prime order of a group Q (of points on elliptic curve). Let S G Q* 
be a point to share. Suppose that we have chosen integers t (a threshold) and 
n satisfying 1 < t < n < q. First, we pick i?i, R 2 , . . . , Rt-i at random from Q* . 
Then, we define a function F : IN U {0} ^ Q such that F{u) = S + X);=i 
(Note that in practice, “picking Ri at random from Q*” can be implemented by 
computing riP for randomly chosen n G ^q, where P G G* is a, generator of fj.) 
We then compute Si = F{i) e G for 1 < i < n and send (i, Si) to the i-th member 
of the group of cardinality n. When the number of shares reaches the threshold t, 
the function F{u) can be reconstructed by computing F{u) = where 

= rii,6<i> L^j ^ is the Lagrange coefficient for a set C {1, . . . ,n} 
such that |<?| > t. 

Zero Knowledge Proof for the Equality of Two Discrete Logarithms Based on 
the Bilinear Map. To ensure that all decryption shares are consistent, that is, to 
give robustness to threshold decryption, we need a certain checking procedure. 
In contrast to the ciphertext validity checking mechanism of in our publicly 
checkable encryption presented above, we need a non-interactive zero-knowledge 
proof system since the share of the key k is the element of the group F, where 
the DDH problem is believed to be hard. 

Motivated by [6] and [18], we construct a zero-knowledge proof of membership 

def 

system for the language TEDLog^ . = {(Mj A) € F x Fj log^/x = logg /!} where 

g = e{P, P) and g = e{P, P) for generators P and P of ^ (the groups G and F 
and the Bilinear map e are as defined in Section 2) as follows. 

Suppose that (P, P, g, g) and {k, k) G pEDLog^ . are given to the Prover and 

the Verifier, and the Prover knows a secret S G G*. The proof system which we 
call “ZKBm” works as follows. 

~ The Prover chooses a non-identity element T uniformly at random from G 
and computes 7 = e{T,P) and 7 = e{T,P). The Prover sends 7 and 7 to 
the Verifier. 

— The Verifier chooses h uniformly at random from and sends it to the 
Prover. 

~ On receiving h, the Prover computes L = T+hS G G and sends it to the Ver- 
ifier. The Verifier checks if e(L, P) = and e(P, P) = 7/f^. If the equality 
holds then the Verifier returns ‘^AccepF , otherwise, returns ‘^RejecF . 

The above protocol actually satisfies completeness, soundness and zero-knowl- 
edge against the honest Verifier (The proof is given in the full version of this 
paper [1].) Note that ZKBm can easily be converted to a NIZK proof, making the 
random challenge an output of a random oracle [2]. Note also that the above 
protocol can be viewed as a proof that {g, g, k, k) is a Diffie-Hellman tuple since 
if {k, k) G pEDLog^ . then k = g^ and k = g^ for some x G Z* and hence 

{g,9,K,fi) = {g,9,9'',9'") = {9,9^,g'",9"'^) for some y G ZZ*q. 
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5.2 Description of Our Scheme IdThdBm 

We now describe our ID-based threshold decryption scheme. We call our scheme 
“IdThdBm”, meaning “ID-based threshold decryption scheme from the bilinear 
map”. IdThdBm consists of the following algorithms. 

— GK(fc): Given a security parameter k, this algorithm generates two groups Q and T 
of the same prime order q > 2^ and chooses a generator P of Q. Then, it specifies 
the Bilinear map e : QxQ ^ P and the hash functions Hi, H 2 , H 3 and H 4 such that 
Hi : {0,1}* ^ g*; H 2 : .1^^ {0, 1}*; H 3 : £?* x {0, 1}' ^ Q* ; H 4 : P x P x P ^ 
where I denotes the length of a plaintext. Next, it chooses the PKG’s master key 
X uniformly at random from and computes the PKG’s public key Ypkg = xP. 
Finally, it returns a common parameter cp — {Q, q, P, e. Hi, H 2 , H 3 , H 4 , Fpkg) 
while keeping the master key x secret. 

— EX(cp, ID): Given an identity ID, this algorithm computes Qid = Hi (ID) and Did = 
xQid- Then, it returns the private key Did associated with ID. 

— DK(cp, ID, Did, t, n) where 1 < t < n < q: Given a private key Did, the number 
of decryption servers n and a threshold parameter t, this algorithm first picks 
Di , D 2 , . . . , Rt—i at random from Q and constructs D(n) = Did + 

for u e {0} U IN. It then computes each server Pi’s private key Si = F(i) and 
verification key yi = e{Si,P) for 1 < i < n. Subsequently, it secretly sends the 
distributed private key Si and the verification key yi to server Pi for 1 < i < n. Pi 
then keeps Si as secret while making yi public. 

— E(cp, ID,m): Given a plaintext M G {0,1}* and an identity ID, this algorithm 
chooses r uniformly at random from ^*, and subsequently computes Qid = Hi(ID) 
and K = e(QiD, Tpkg)”. It then computes 

U = rP-,V = H 2 (k) © M; it = rH 3 (D, V) 

and returns a ciphertext C = {U, V, W). 

— D[cp,Si,C)\ Given a private key Si of each decryption server and a ciphertext 
C = {U, V, W), this algorithm computes H 3 = H 3 (D, V) and checks if e(P, W) = 
e{U,H 3 ). 

If C has passed the above test, this algorithm computes Ki = e{Si,U), Ki = 
e{Ti,U), iji = e{Ti,P), Ai = H 4 («i, yi), and D = D + AiS'i for random D G Q, 
and outputs di,c = (i, Ki, Ki,yi, Xi, Li). Otherwise, it returns Si^c =(*, “Invalid 
Ciphertext " ) . 

— S\/{cp,{yi}i<i<n,C,5i^c)- Given a ciphertext C = {U,V,W), a set of verification 
keys {yi, . . . , j/„}, and a decryption share 5i,c, this algorithm computes H 3 — 
H 3 (D, V) and checks if e(D, W) = e{U, H 3 ). 

If C has passed the above test then this algorithm does the following: 

- If <5i,c is of the form {i, “Invalid Ciphertext") then return “Invalid Share" . 

- Else parse 5i,c as [i,Ki,Ki,yi,\i,Li) and compute A' = V\A{Ki,Ki,yi). 

- Check if A' = Ai, e(Li, D)/k^ = fti and e(Li, P)/yf = yi- 

- If the test above holds, return “ Valid Share " , else output “Invalid Share" . 

Otherwise, does the following: 

- If 5i^c is of the form (i, “Invalid Ciphertext"), return “ Valid Share" , else output 
“Invalid Share" . 




270 Joonsang Baek and Yuliang Zheng 



— SC{cp,C,{Sj^c}js<p)' Given a ciphertext C and a set of valid decryption shares 
{5j,c}j€'p where |^| > t, this algorithm computes -ffa = \-\i{U,V) and checks if 
e{P,W) = e(U,Hz). 

If C has not passed the above test, this algorithm returns “Invalid Ciphertext". 
(In this case, all the decryption shares are of the form (i, “Invalid Ciphertext”).) 

Otherwise, it computes k — and M — H 2 (/«) © V, and returns M. 

5.3 Security Analysis — IdThdBm 

Bilinear Dijfie- Heilman Problem. First, we review the Bilinear Diffie-Hellman 
(BDH) problem, which was introduced by Boneh and Franklin [5] . 

Definition 2 (BDH). Let Q and T be two groups of order q where q is prime, 
as defined in Section 2. Let P G tj* be a generator of Q. Suppose that there 
exists a Bilinear map e : Q x Q ^ P. Let be an attacker modelled as a 

probabilistic Turing machine. 

The BDH problem refers to the computational problem in which is to 

compute the BDH key e{P, P)°-^“ given (tj, g, P, aP, bP, cP) and a security param- 
eter k. We define A^^^^’s success as a function SucCg'^^oH (fc)=Pr[A^°^ outputs 
e(P, P)“^°]. The BDH problem is said to be computationally intractable if, for 
any attacker whose running time is polynomially bounded, Succ^'^^dh (fc) 

is negligible in k. 

Proof of Security. Regarding the security of the IdThdBm scheme, we obtain the 
following theorem. (For a more detailed proof, we refer readers to the full version 
of this paper [1].) 

Theorem 1. In the random oracle model, the IdThdBm scheme is IND-IDTHD- 
CCA secure if the BDH problem is computationally intractable. 

Proof. (Sketch) To prove the above theorem, we derive a non-ID-based threshold 
decryption scheme, which we call “ThdBm” , from the IdThdBm scheme. Actually, 
ThdBm is the same as IdThdBm except that it does not have a private key ex- 
traction algorithm and hence the hash function Hi : {0, 1}* ^ Q* is not used. 
The private key D of this scheme is generated by choosing Q and x uniformly 
at random from Q* and respectively, and computing D = xQ. The public 
key of this scheme consists of (Q,Y), where Y = xP. Note that the private key 
D is shared among n decryption servers. The encryption of a plaintext message 
m G {0, 1}* can be done by choosing r uniformly at random from and com- 
puting U = rP, V = H 2 (k) © TO, and W = rUz{U,V), where d = e{Q,Y) and 
K = d” . 

As a first step, we show how to use the IND-IDTHD-CCA attacker for 
IdThdBm to construct an IND-THD-CCA attacker for ThdBm. (IND-THD- 
CCA denotes the chosen-ciphertext security notion for non-ID-based threshold 
decryption defined in [18].) First, gives Y as the PKG’s public key 
BCCA randomly chooses an index ji from the range [1, (/hJ where <7 Hi denotes 
the maximum number of queries made by to the random oracle Hi. By 
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ID^, we denote the ^-th query to the random oracle Hi. hopes ID^ to be 

a target identity ID* that outputs at some stage. Now, if queries 

Hi at ID yf ID;^, responds with tP, where r is randomly chosen from 
Otherwise, responds with Q. Similarly, if issues ID yf ID^^ as a private 
key extraction query, B'-^'^ responds to the query with tY , where r is randomly 
chosen from ^*, and stops the simulation otherwise. (However, if ID^ = ID*, 
this query is not allowed.) If A^'-'^ issues decryption share generation queries 
after it submits the target identity, B^'-'^ uses its decryption servers to answer 
those queries. Notice that if ID^ = ID*, which happens with probability 
the simulation is perfect. 

The next step is to show how to use the IND-THD-CCA attacker 
for ThdBm to construct an attacker for solving the BDH problem. Sup- 

pose that {Q,q,e, P,aP,bP,cP) for random a,b,c G are given to 
Assume that B^^'^ has access to the common parameter {Q, q, P, e, H2, H3, 
H4, Y, Q). First, A^°*^ replaces Y by bP and Q by cP. If corrupts a sub- 
set of t — I servers, where t is a threshold parameter, assumes that the 

servers Pi, P2, ■ ■ ■ , Pt-i have been corrupted without loss of generality. 
then chooses Si, S2, • ■ • , St-i uniformly at random from Q and computes yi = 
e{Q, Yy 0 ny=i > where t < i < n and c? denotes the Lagrange coef- 

ficient for a set = {0, 1, . . . , t — 1}. A®°*^ sends yi to each of the uncorrupted 
decryption servers, that is, replaces the verification keys with the new yi 

computed above. 

Whenever the random oracle H3 is queried at some point by B'-^'^, picks 
s uniformly at random from Z*, computes H3 = sY, and responds B^^‘^ with 
it. On receiving queries to other random oracles, picks values at random 

from the ranges of the random oracles, and responds with them. 

When submits two plaintexts (Mg, Mi) to the encryption oracle, 
creates a target ciphertext C* = {U* ,V* ,W*) as follows. First, A®^'^ sets U* = 
aP. then picks a string V* at random from {0, 1}^, computes = s*P for 
random s* G and sets = HyU*,V*). A^^^^ also computes W* = s*U*. 
Having created C*, returns it to as a target ciphertext. Note here that 
e{P,W*) = yU*,H*) since {P,U*,HyW*) = {P,aP, s* P, s*aP) and hence is 
a legitimate Diffie-Hellman tuple. Therefore, as long as does not query the 
random oracle H2 at the point e(P, the simulation is perfect. However, 

happening such an event means that is able to solve the BDH problem. So 

ABDh gjjnulates B^'-'^’s view up to this event. 

Now, suppose that has already made a query ([/, V) to the random 

oracle H3. By the construction of the simulator for H3, we have Pl^ = H({7, V) = 
sY for random s G ^*. Since knows the value s, can compute K = 

(l/s)IF and hence n = e{Q,K). Note here that (l/s)IF = (l/s)rsT = rY = 
rxP and Q = cP. Then, A®°*^ computes Ki = » riy=i U)‘^ for t < z < n. 

It is easy to check ki is a correct z-th share of the BDH key k = e{Q, Y)'^ . 
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The rest is a simulation of a full decryption share 5i^c = (*, Ki, Ki, yi, Li). This 
can easily be done by the zero-knowledge simulation technique, responding to 
queries to the random oracle H 4 with an element randomly chosen from Z* . □ 

6 Application to Mediated ID-based Encryption 

6.1 Security Issues in Mediated ID-based Encryption 

The main motivation of mediated cryptography [4] is to revoke a user’s privilege 
to perform cryptographic operations such as decrypting ciphertexts or signing 
messages instantaneously. In [4], Boneh et al. constructed the first mediated 
encryption and signature schemes using the RSA primitive. Their idea is to split 
a user’s private key into two parts and give one piece to the on-line Security 
Mediator (SEM) and the other to the user. To decrypt or sign, the user must 
acquire a message-specific token which is associated with the SEM part of private 
key from the SEM. As a result, revocation is achieved by instructing the SEM 
not to issue tokens for the user. 

Recently, the problem of realizing mediated encryption in the ID-based set- 
ting was considered by Ding and Tsudik [7]. They proposed an ID-based medi- 
ated encryption scheme based on RSA-OAEP [3]. Although their scheme offers 
good performance and practicality, it has a drawback which stems from the fact 
that a common RSA modulus is used for all the users within the system and 
hence, to guarantee the security of Ding and Tsudik’s scheme, one should assume 
that the SEM’s private key must be protected throughout the life of the system. 

As an alternative to Ding and Tsudik’s solution, Libert and Quisquater [13] 
proposed a new mediated ID-based encryption scheme based on Boneh and 
Franklin’s ID-based encryption scheme. In term of security, it has an advan- 
tage over Ding and Tsudik’s scheme in a sense that a compromise of the SEM’s 
private key does not lead to a break of the whole system. In contrast to this pos- 
itive result, Libert and Quisquater observed that even though the SEM’s private 
key is protected, their scheme as well as Ding and Tsudik’s scheme are not se- 
cure against “inside attack” in which the attacker who possesses the user part of 
private key conducts chosen-ciphertext attack. As a result, it should be strictly 
assumed in those schemes that users’ private keys must be protected to ensure 
chosen-ciphertext security. In practice, this assumption is fairly strong in that 
there may be more chance for users to compromise their private keys than the 
SEM does since the SEM is usually assumed to be a trusted entity configured 
by a system administrator. 

However, in the following section, we present a new mediated ID-based en- 
cryption scheme based on our IdThdBm scheme, which is secure against cipher- 
text attack in a strong sense, that is, secure against chosen-ciphertext attack 
conducted by the attacker that obtains the user part of private key. 

6.2 Description of Our Scheme mIdeBm 

We describe our mediated ID-based encryption scheme “mIdeBm” based on the 
IdThdBm scheme with {t, n) = (2, 2) as follows. 
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— Setup: Given a security parameter k, the PKG runs the key generation algorithm 
of IdThdBm. The output of this algorithm cp = {Q, q, P, e, Hi, H 2 , H 3 , H 4 , Ipkg) 
is as defined in the description of IdThdBm. Note that cp is given to all interested 
parties while the master key x is kept secret within the PKG. 

— Keygen: Given a user’s identity ID, the PKG computes Qid = Hi (ID) and Did = 
xQjn. It then splits Did using the (2, 2)-secret-sharing technique as follows®. 

• Pick R at random from Q* and construct F{u) = Did + uR for u € {0} U IN. 

• Compute Did, sent = D(l) and Did, user = P(2). 

The PKG gives DiD,sem to the SEM and Did, user to the user. 

— Encrypt: Given a plaintext M £ {0, 1}* and a user’s identity ID, a sender creates 
a ciphertext C = {U, V, W) such that 

U = rP-,V ^ H 2 (k) ®M-W = rH 3 (D, V), 

where k = e(Hi(lD), Vpkg)^ for random r G Zq. 

— Decrypt: When receiving C = (U, V, W), a user forwards it to the SEM. The SEM 
and the user perform the following in parallel. 

• SEM (We call this procedure “SEM oracle”): 

1. Check if the user’s identity ID is revoked. If it is, return “ID Revoked" . 

2. Otherwise, do the following: 

* Compute Hs = H 3 (D,K) and check if e{P,W) = e{U,H 3 ). If C has 
passed this test, compute Ksem = e{DiD,aem,U) and send SiD,sem,c = 
{sem,Kaem) to the user. Otherwise, send SiD,sem,c = {sem, “Invalid 
Ciphertext”) to the user. 

• User (We call this procedure “User oracle”): 

1. Compute = Hs(D, V) and check if e(P, W) = e{U, H 3 ). If C has passed 
this test, compute Kuaer = e(DiD,user, U). Otherwise, return “Reject" and 
terminate. 

2. Get 5iD,aem,c from the SEM and do the following: 

* If SiD,aem,c is of the form {sem, “Invalid Ciphertext”), return “Reject” 

and terminate. Otherwise, compute k = Kaem Kuaer where Cqi and c *2 
denote the Lagrange coefficients for the set <I> — {1,2} and M — 
H 2 (k) © V, and return M. 

Notice that in the SEM oracle of the above scheme, the validity of a ciphertext 
is checked before generating a token in the same way as the decryption share 
generation algorithm of IdThdBm does. 

6.3 Security Analysis mIdeBm 

In this section, we show that the chosen-ciphertext security of the above scheme 
against the strong attacker that obtains the user part of private key is relative 
to the IND-IDTHD-CCA (Definition 1) security of the (2, 2)-IdThdBm scheme. 

To begin with, we define IND-mID-sCCA (indistinguishability of mediated 
ID-based encryption against strong chosen-ciphertext attack), which is similar 
to IND-mID-wCCA (“w” stands for “weak”) defined in [13] but assumes the 
stronger attacker that can corrupt users to get their private keys. 

® In this particular case of (2, 2)-secret-sharing, one may share Did by taking a random 
Did, sem and computing Did, user = Did — Did, sem for efficiency. 
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Definition 3 (IND-mlD-sCCA). Let be an attacker that defeats the 

IND-mID-sCCA security of an mediated ID-based encryption scheme MT'DE 
which consists of Setup, Keygen, Encrypt and Decrypt algorithms. (For details 
of these algorithms, readers are referred to mIdeBm given in Section 6.2.) We 
assume that is a probabilistic Turing machine taking a security parameter 

k as input. Consider the following game in which the attacker interacts 

with the “Challenger” . 

Phase 1: The Challenger runs the Setup algorithm taking a security parameter 
k. The Challenger then gives the common parameter to . 

Phase 2: Having obtained the common parameter, issues the following 

queries. 

• “User key extraction” query ID: On receiving this query, the Challenger runs 
the Keygen algorithm to obtain the user part of private key and sends it to 
A^“'. 

• “SEM key extraction” query ID: On receiving this query, the Challenger runs 
the Keygen algorithm to obtain the SEM part of private key and sends it to 
A^“'. 

• “SEM oracle” query (ID,C): On receiving this query, the Challenger runs the 
Keygen algorithm to obtain a SEM part of private key. Taking the result- 
ing private key as input, the Challenger runs the SEM oracle in the Decrypt 
algorithm to obtain a decryption token for C and sends it to . 

• “User oracle” query (ID,C): On receiving this query, the Challenger runs the 
Keygen algorithm to obtain a User part of private key. Taking the resulting 
private key as input, the Challenger runs the User oracle in the Decrypt algo- 
rithm to obtain a decryption token for C and sends it to . 

Phase 3: A*"'”'^ selects two equal-length plaintexts (Mo, Mi) and a target identity 
ID* which was not queried before. On receiving (Mo, Mi) and ID*, the Challenger 
runs the Keygen algorithm to obtain User and SEM parts of the private key asso- 
ciated with ID*. The Challenger then chooses j3 € {0, 1} at random and creates a 
target ciphertext C* by encrypting M,g under the target identity ID*. The Chal- 
lenger gives the target ciphertext and the User part of the private key to A*"'"^ . 
Phase 4: A'"'"'^ continues to issue “User key extraction” query ID ^ ID*, “SEM key 
extraction” query ID / ID*, “SEM oracle” query (ID, C) / (ID*,C*), and “User 
oracle” query (ID, C) yf (ID*,C*). The details of these queries are as described in 
Phase 2. 

Phase 5: outputs a guess /3 € {0, 1}. 

We define A^'-'^^’s success as a function = 2 • Pr[/9 = 

/3] — 1. The mediated ID-based encryption scheme AiXVE is said to be IND- 
mlD-sCCA secure if, for any attacker whose running time is polynomially 
bounded, is negligible in k. 

We now state and prove the following theorem. (Readers are referred to [1] 
for a more detailed proof.) 
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Theorem 2. If the (2, 2)-IdThdBm scheme is IND-IDTHD-CCA secure then the 
mIdeBm scheme is IND-mID-sCCA secure. 

Proof. (Sketch) We show how to use the IND-mID-sCCA attacker for 

mIdeBm to construct an IND-IDTHD-CCA attacker for IdThdBm. 

When issues a new “User key extraction” or “SEM key extraction” 

query, which is an ID, A^^'^ forwards ID to its Challenger as a private key ex- 
traction query, obtains a private key Did associated with ID, and gives Did to 
ACCA jjaving done this, A^'-'^ splits Did into DiD,sem and Did, user using the (2, 
2)-secret-sharing technique. A^'-'^ then adds (ID, Di-o^user) and (ID, Dn,^sem) to 
UserKeyList and SEMKeyList respectively. Using these lists, answers ACCAbg 
“SEM oracle” and “User oracle” queries, each of which consists of (ID, C). If nec- 
essary, forwards the ID in those queries to its Challenger to get a private 

key associated with it. It should be emphasized here that A^^'^ always checks 
the validity of the ciphertext C = {U, V, W) by testing whether e(P, W) equals 
to e{U, H 3 (D, V)). If C does not pass this test, rejects it. 

Once issues two equal-length plaintexts {Mq, Mi) and a target identity 

ID*, forwards (Mq, Mi, ID*) to its Challenger. On receiving (Mq, Mi, ID*), 
the Challenger runs the private key extraction algorithm of IdThdBm to get a 
private key Did* associated with ID* and runs the private key distribution al- 
gorithm of IdThdBm to split Did* into Dio* ^sem and Dio*^user. The Challenger 
gives Did* .user to as a corrupted party’s private key. A'-^'^ then sends this 
back to . In doing so, the strong attacker A^^'^ possesses the user part 

of private key. Now, the Challenger chooses (3 G {0, 1} at random and runs the 
encryption algorithm E of IdThdBm taking (M,a, ID*) as input and gets a target 
ciphertext C*. The Challenger gives it to Then, sends C* back to 

ACCa'. 

ACCa 

answers “User key extraction” , “SEM key extraction” , “SEM oracle” , 
and “User oracle” queries in the same way it did before. Note, however, that the 
cases when (ID, C*) and (ID*,C) are asked as “SEM oracle” and “User oracle” 
queries should be handled at this stage. Especially, A'-^'^ uses its decryption 
servers to handle the query (ID*, C). 

Finally, if outputs a guess (3' € {0,1}, A^'-'^ returns it as its guess. □ 

7 Concluding Remarks 

In this paper, we discussed the issues related to the realization of ID-based 
threshold decryption and proposed the first threshold ID-based decryption 
scheme provably secure against chosen-ciphertext attack. We also showed how 
our ID-based threshold decryption scheme can result in a mediated ID-based 
encryption scheme secure against “inside attack” , whereby an attacker who pos- 
sesses a user part of private key conducts chosen-ciphertext attack. 

Interesting future research would be finding more security applications where 
“ID-based threshold decryption” is particularly useful. 
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Abstract. In Asiacrypt2001, Boneh, Lynn, and Shacham [8] proposed 
a short signature scheme (BLS scheme) using bilinear pairing on cer- 
tain elliptic and hyperelliptic curves. Subsequently numerous crypto- 
graphic schemes based on BLS signature scheme were proposed. BLS 
short signature needs a special hash function [6, 1, 8]. This hash func- 
tion is probabilistic and generally inefficient. In this paper, we propose a 
new short signature scheme from the bilinear pairings that unlike BLS, 
uses general cryptographic hash functions such as SHA-1 or MD5, and 
does not require special hash functions. Furthermore, the scheme requires 
less pairing operations than BLS scheme and so is more efficient than 
BLS scheme. We use this signature scheme to construct a ring signature 
scheme and a new method for delegation. We give the security proofs for 
the new signature scheme and the ring signature scheme in the random 
oracle model. 



Keywords: Short signature, Bilinear pairings, ID-based cryptography. Ring 

signature. Proxy signature 

1 Introduction 

In recent years, bilinear pairings have found various applications in cryptogra- 
phy and have allowed us to construct some new cryptographic schemes [5, 6, 7, 
8, 11, 20, 23, 27]. BLS scheme is a signature scheme that uses bilinear pairings 
and has the shortest length among signature schemes in classical cryptography. 
The scheme is based on Weil pairing and can be obtained from the private 
key extraction process of Boneh-Franklin’s [6] ID-based encryption scheme. BLS 
short signature needs a special hash function, i.e., an admissible encoding func- 
tion called MapToPoint that is also used by most conventional cryptographic 
schemes from pairings. Although there has been much discussions on the con- 
struction of such hash algorithm [1, 8], to our knowledge, all these algorithms 
are still probabilistic and there is no deterministic polynomial time algorithm 
for them. 

The Computational Diffie-Hellman Problem (CDHP) is a well-studied prob- 
lem and its hardness is widely believed to be closely related to the hardness of the 
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Discrete Logarithm Problem (DLP). There are two variations of CDHP: Inverse 
Computational Diffie-Hellman Problem (Inv-CDHP) and Square Computational 
Diffie-Hellman Problem (Squ-CDHP). 

In this paper, we propose a new short signature scheme that is constructed 
from Inv-CDHP based on bilinear pairing and does not require any special hash 
function. We note that in pairing based cryptosystems, the computation of the 
pairing is the most time-consuming. Although numerous papers discuss the com- 
plexity of pairings and how to speed up the pairing computation [2, 11], the 
computation of the pairing still remains time-consuming. Our new scheme uses 
less pairing operations than BLS scheme, and hence, is more efficient than BLS 
scheme. Based on the new signature scheme, we propose a ring signature scheme 
and a new method for delegation and some proxy signature schemes. We prove 
the security of the new signature scheme and the corresponding ring signature 
scheme in the random oracle model (the cryptographic hashing function (such 
as MD5 or SHA-1) is seen as an oracle which produces a random value for each 
new query). 

The rest of the paper is organized as follows: The next section briefly explains 
the bilinear pairing and some problems related to pairings. Section 3 gives the 
new basic signature scheme and its security analysis. Based on this basic signa- 
ture scheme, we give a ring signature scheme and some proxy signature schemes 
in Section 5 and 6, respectively. Section 7 concludes this paper. 

2 Bilinear Pairing and Some Problems 

Let Gi be a cyclic additive group generated by P, whose order is a prime q, and 
G 2 be a cyclic multiplicative group with the same order q. Let e : Gi x Gi ^ G 2 
be a map with the following properties: 

1. Bilinearity: e(aP, bQ) = e(P, QY^ for all P, Q G Gi, a, 6 G 

2. Non-degeneracy: There exists P, Q G Gi such that e{P,Q) Y other 
words, the map does not send all pairs in Gi x Gi to the identity in G 2 ; 

3. Computability: There is an efficient algorithm to compute e(P, Q) for all 
PjQ G Gi . 

In our setting of prime order groups, the Non-degeneracy is equivalent to 
e{P,Q) Y 1 for all P,Q G Gi. So, when P is a generator of Gi, e(P, P) is a 
generator of G 2 . Such a bilinear map is called a bilinear pairing (more precisely, 
called an admissible bilinear pairing). 

We consider the following problems in the additive group (Gi; -I-). 

— Discrete Logarithm Problem (DLP): Given two group elements P and 
Q, And an integer n € Z*, such that Q = nP whenever such an integer 
exists. 

— Decision DifRe-Hellman Problem (DDHP): For a,b,c G Z*, given 
P, aP, 6P, cP decide whether c= ab mod q. 

— Computational DifRe-Hellman Problem (CDHP): For a,b given 
P, aP, bP, compute abP. 
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There are two variations of CDHP: 

— Inverse Computational DifRe-Hellman Problem (Inv-CDHP): For 

a G Z*, given P,aP, compute a~^P. 

— Square Computational DifRe-Hellman Problem (Squ-CDHP): For 

a G Z*, given P,aP, compute a^P. 

The following theorem relates these problemes [17, 22]. 

Theorem 1. CDHP, Inv-CDHP and Squ-CDHP are polynomial time equiva- 
lent. 

Assumptions: We assume that DTP, CDHP Inv-CDHP and Squ-CDHP are 
hard, which means there is no polynomial time algorithm to solve any of them 
with non-negligible probability. 

A Cap Diffie-Hellman (CDH) group is a group which the DDHP is easy but 
the CDHP is hard in it. From bilinear pairing, we can obtain the CDH group. 
Such groups can be found on supersingular elliptic curves or hyperelliptic curves 
over finite field, and the bilinear parings can be derived from the Weil or Tate 
pairing. For more details, we refer the readers to [6, 9, 13]. 

All schemes in this paper can work on any CDH group. Throughout this 
paper, we define the system parameters in all schemes as follows. Let P be a 
generator of Gi with order q, the bilinear pairing is given by e : Gi x Gi ^ G 2 . 
These system parameters can be obtained using a GDH Parameter Gener- 
ator IQ [6]. Define a cryptographic hash function H : {0, 1}* ^ {0, 1}'^, where 
[g] > A > 160. 

3 New Short Signature Scheme from Bilinear Pairings 

3.1 The Basic Signature Scheme 

A signature scheme consists of the following four algorithms : a parameter gen- 
eration algorithm ParamGen, a key generation algorithm KeyGen, a signature 
generation algorithm Sign and a signature verification algorithm Ver. 

We describe the new signature scheme as follows: 

1. ParamGen. The system parameters are {Gi, G 2 , e, g, P, il}. 

2. KeyGen. Randomly selects x Gr Z*, and computes Ppuh = xP. The public 
key is Ppub- The secret key is x. 

3. Sign. Given a secret key x, and a message m, computes S = 7 j^;^yq:yP- The 
signature is S. 

4. Ver. Given a public key Ppub, a message m, and a signature S, verify if 

e{H{m)P + 

Ppub 1 S) = e(P, P). 

The verification works because of the following equations: 

e{H{m)P -\- Ppub, S) = e{{H{m) -\- x)P, {H{m) -\- x)~^ P) 

= e(P, 

= e(P, P) 
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3.2 Security Discussions 

The strongest notion of security for signature schemes was defined by Gold- 
wasser, Micali and Rivest [12] as follows: 

Definition 1 (Secure signatures [12]). A signature scheme S = < ParamGen, 
KeyGen, Sign, Ver > is existentially unforgeahle under an adaptive chosen mes- 
sage attack if it is infeasible for a forger who only knows the public key to produce 
a valid message-signature pair after obtaining polynomially many signatures on 
messages of its choice from the signer. 

Formally, for every probabilistic polynomial time forger algorithm T there 
does not exist a non-negligible probability e such that 

(pk,sk) ^ {ParamGen, KeyGen){l’‘); 
fori = l,2,...,t, 

Adv{iF) =Pr rrii ^ iF{pk,mi,ai, . . . ,mi-i,ai-i),ai ^ Sign{sk,mi)-, > e. 
{m,a) ^ T{pk,mi,ai,. . . ,mk,(Jk)-, 
m ^ {mi, . . . , mfc} and Verfpk, m, a) = accept 

Here we use the definition of [4] which takes into account the existence of an 
ideal hash function, and gives a concrete security analysis of digital signatures. 

Definition 2 (Exact security of signatures [4]). A forger T is said to 
{t,qH,QsA)-break the signature scheme S = < ParamGen, KeyGen, Sign, Ver > 
via an adaptive chosen message attack if after at most qh queries to the hash 
oracle, qs signatures queries and t processing time, it outputs a valid forgery 
with probability at least e. 

A signature scheme S is {t,qH,qs,^)-secure if there is no forger who 
{t,qH,qs a) - breaks the scheme. 

To give the security proof of the new signature scheme, we recall a problem 
proposed by S. Mitsunari et. al [18], called k-CAA (collusion attack algorithm 
with k traitors), and used as the security basis in Mitsunari et. aVs traitor tracing 
scheme. 

Definition 3 (k-CAA). For an integer k, and x Zq, P G Gi, given 
{P,Q = xP,hi,...,hkG Zq, , ^ P, ■■■, , \ P}, 

to compute j^P for some h ^ {h\, . . . , hk}. 

We say that the k-CAA is ft, e)-hard if for all t-time adversaries A, we have 



Aduk-CAA _4 = Pr 



'A(P,Q = xP,j^P,...,j^P) = j^P 

Jx Gji Zq, P G Gi, hi, . . . ,hk G Zq,h ^ {hi, . . . ,hk} 



< e. 



On the security of proposed signature scheme against an adaptive chosen 
message attack, we have the following theorem: 
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Theorem 2. If there exists a {t,qH,qs,^)-forger using adaptive chosen mes- 
sage attack for the proposed signature scheme, then there exists a ft' , e') -algorithm 
A solving qs-CAA, where t' = t, e' > (|— )'^ • e 

Proof. In the proposed signature scheme, before signing a message m, we need 
to make a query H fm) . Our proof is in random oracle model (the hash function 
is seen as a random oracle, i.e., the output of the hash function is uniformly 
distributed) . 

Suppose that a forger T (t, g//, gs, e)-break the signature scheme using an 
adaptive chosen message attack. We will use T to construct an algorithm A 
to solve qs-CAA. Suppose A is given a challenge: Given P £ Gi, Q = xP, 
hi,h2,...,hq e Z,, and j^P, j^P, ■■■, ^ compute for some 

h {^1 5 ■ ■ ■ , hq } . 

Now A plays the role of the signer and sets Pput = Q- A will answer hash 
oracle queries and signing queries itself. We assume that T never repeats a hash 
query or a signature query. 

51 .4 prepares qn responses {wi,W 2 , ■ ■ ■ ,Wq } of the hash oracle queries, hi, , 
hq are distributed randomly in this response set. 

52 T makes a hash oracle query on Wi for 1 < t < g//. .4 sends Wi to T as the 
response of the hash oracle query on mi. 

53 T makes a signature oracle query for wi. If wi = hj, A returns jp^t^P to T 
as the response. Otherwise the process stops and A has failed. 

54 Finally T halts and outputs a message-signature pair fm, S). Here the hash 
value of m is some w\ and wi ^ {hi, ... ,hq }. Since (m, S) is a valid forgery 
and Hfm) = wi, it satisfies: 

e{H{m)P + Q, S) = e{P, P). 

So, S = ^ A outputs (wi,S) as a solution to 4l’s challenge. 

Algorithm P cannot distinguish between A ’s simulation and real life because 
the hash function behaves as a random oracle. The running time of A is equal 
to the running time of P t' = t. In step S3, the success probability of is , 
so, for all signature oracle queries, A will not fail with probability p > 

(if P only makes s(< qs) signature oracle queries, the success probability of A 
is (^)®)- Hence, after the algorithm A finished step S4, the success probability 
of A is: e' > (^)« • e. □ 

In [18], S. Mitsunari et. al introduced another new problem, k-weak Com- 
putational Diffie-Hellman Problem (k-wCDHP), and gave the following theorem. 



Definition 4 (k-wCDHP). Given k-\-l values < P, yP, y^P, . . . , y^P >, com- 
pute 4P. 



^ To obtain a good bound for t , we should assume that qs and qn are very closed. 




282 Fangguo Zhang, Reihaneh Safavi-Naini, and Willy Susilo 

Theorem 3 ([18]). There exists a polynomial time algorithm to solve (k-1)- 
wCDHP if and only if there exists a polynomial time algorithm for k-CAA. 

So, in our signature scheme, the security against the existential forgery under 
an adaptive chosen message attack at least depends on k-wCDHP. 

To give a more specific evaluation of the security of our signature scheme, 
we introduce a new problem. 

Definition 5 (k+1 Exponent Problem). Given fc + 1 values < P,yP,y^ P, 
. . . , y^P >, compute y^~^^P. 

We have the following theorem. The proof is given in the full version of this 
paper. 

Theorem 4. k-wCDHP and k+lEP are polynomial time equivalent. 

We note that k + lEP and k-wCDHP are no harder than the CD HP. There 
exists a special case where k-wCDHP or fc + lEP can be easily solved. This 
case gives an attack on the new signature scheme. Given Pq = P, Pi = yP, 
P 2 = ■ ■ ■ ,Pk = y’^P, if there are at least two same elements in them, e.g., 

Pi = Pj {i yf j), that means y* mod q = y^ mod q, and so, the order of y in Zg 
is j — i. Then 



y ^P = Pj-i-i or = Pfe+i mod 0 -i)- 



However, because y can be regarded as a random element in Z*, we can show 
that the success probability of this attack is negligible. 

Let q — 1 = rii=iPi • Foi' ® ^ fh® order of a is a divisor of g — 1. 
Given k, suppose that the number of element a in Z* such that ord{a) < k is 
given by N. Obviously, N < k^ (the maximum of the number of the divisors less 
than k is k). Let p be the probability that a randomly chosen element in Z* has 
order less than k, then 

N P 

p = — < 



So, if g « we limit k < 2"^°, which means the attacker has at most 2"^° 
message-signature pairs. Then using the above attack, the success probability is 
at most 



W ^ 2-80 
2160 



0.82718 X 



Summarizing the above discussions, we have the following result. 



Corollary 1 Assuming that k+lEP is hard, i.e., there is no polynomial time 
algorithm to solve k+lEP with non-negligible probability, then the proposed sig- 
nature scheme is secure under the random oracle model. 
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3.3 Efficiency 

Short signatures are important in low-bandwidth communication environments. 
A number of short signature schemes, such as: Quartz [19], McEliece-based sig- 
nature [10], have been proposed. BLS scheme is the shortest signature scheme 
known in classical cryptography (Quartz and McEliece-based signature belong 
to the multivariate cryptography) . Our signature only consists of one element of 
Gi. In practice, the size of the element in Gi (elliptic curve group or hyperelliptic 
curve Jacobians) can be reduced by a factor of 2 using compression techniques. 
So, like BLS signature scheme, our signature scheme is a short signature scheme. 

We compare our signature scheme with the BLS scheme from computation 
overhead view point. We denote Pa the pairing operation. Pm the point scalar 
multiplication on Gi, Ad the point addition on Gi, Inv the inversion in Zg and 
MTP the MapToPoint hash operation in BLS scheme. We summarize the result in 
Table l(we ignore the general hash operation). 



Schemes 


Setup 


Signing 


Verification 


Proposed 


Same 


llnv -f IPm 


2{or l)Pa + IPm -f lAd 


BLS scheme 


Same 


IMTP + IPm 


2Pa -f IMTP 



Table 1. Comparison of our scheme and the BLS scheme 

We assume that BLS scheme and our scheme are all using the GDH group 
derived from the curve E/F^ies defined by the equation y'^ = — x + 1. The 

group provides 1551-bit discrete-log security. The MapToPoint hash operation 
requires at least one quadratic or cubic equation over ^3163 to be solved. So 
the cost of one MapToPoint hash operation is bigger than one inversion in Z^. 
Despite a number of attempts [2, 3, 11] to reduce the complexity of pairing, 
still the operation is very costly. For example, according to the best result in 
[3], one pairing operation is about 11110 multiplications in E 3163 , while a point 
scalar multiplication of E /E 3163 is a few hundred multiplications in ^ 3163 . In our 
scheme, e{P, P) can be precomputed and published as part of the signer’s public 
key and so there is only one pairing operation in verification. This compare to 
two pairing operations in BLS scheme, gives a more efficient scheme. 

4 Relation to ID-based Public Key Setting 

The concept of ID-based encryption and signature were first introduced by 
Shamir [26]. The basic idea of ID-based cryptosystems is to ues the identity 
information of a user functions as his public key. ID-based public key setting 
involves a Private Key Generator (PKG) and users. The basic operations con- 
sist of setup and private key extraction. Informally, an ID-based encryption 
scheme (IBE) consists of four algorithms: (1) Setup generates the system pa- 
rameters and a master-key, (2) Extract uses the master-key to generate the 
private key corresponding to an arbitrary string ID, (3) Encrypt encrypts a 
plaintext using a public key ID and (4) Decrypt decrypts the ciphertexts using 
the corresponding private key. 
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Recently, bilinear pairings have been used to construct ID-based cryptosys- 
tem. As noted by Moni Naor in [6], any ID-based encryption scheme immediately 
gives a public key signature scheme. Therefore, there is a relationship between 
the short signature schemes and the ID-based public key setting from bilinear 
pairing, that is the signing process in the short signature scheme can be regarded 
as the private key extract process in the ID-based public key setting. From this 
viewpoint, our new signature scheme can be regarded as being derived from 
Sakai-Kasahara’s new ID-based encryption scheme with pairing [24, 25] . 

5 A Ring Signature Scheme 

Ring signature schemes were proposed by Rivest, Shamir, and Tauman [21]. In 
a ring signature, a user selects a set of possible signers including himself that 
is called a ring. A possible signer is anyone with a public key for a standard 
signature scheme. The user can then sign a message using his private key and 
the public keys of all of the members of the ring. The signed message then has 
the property that it can be verified to be signed by a user in the ring, but the 
identity of the actual signer will not be revealed, hence the signature provides 
anonymity for the signer and the anonymity cannot be revoked. 

Ring signature schemes should satisfy the following properties: Correctness, 
Unconditional ambiguity or Anonymity and Unforgeability. 

A number of ring signature schemes based on the pairings are proposed. 
Zhang et.al [28] proposed an ID-based ring signature scheme. In [7], Boneh et.al 
gave a ring signature scheme from BLS signature scheme. In this section, we give 
a new ring signature scheme based on the signature scheme in Section 3. 

The system parameters are params = {Gi, G 2 , e, g, P, 77}. Let Alice be a 
signer with public key Ppubk = SfcP and private key s^, and L = {Ppubi} be the 
set of public keys and |P| = n. 

Ring Signing: 

For message m, Alice chooses at &R2,q for alH yf fc and obtains 

= ■i7(m)+sfe ^ ^ H{m) + s/- 

Let Si = atP, for all i ^ k. The ring signature is cr = {Si, S2, ■ ■ ■ , Sn)- 

Ring Verification: 

n 

Y[e{H{m)P+Ppub^, Si) = e{P, P). 

i=l 

The following is a brief analysis of the scheme. 

Correctness. The verification of the signature is correct because of the following. 

n 

Y\_e{H{m)P + Ppubi, Si) 

2=1 
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= + Ppubi, a^P) ■ e{H{m)P + Ppubk, 

i^k 



1 

H{m) + Sk 



{P- 



'^{ai{H{m)P + Ppubi))) 

i^k 

= e(y^{ai{H{m)P + Ppubi)), P) ■ e{P, -'^{at{H{m)P + Ppubi))) ■ e{P, P) 

i^k i^k 

= e(P, P) 



Unconditional ambiguity. The scheme has unconditionally signer-ambiguity. As- 
sume that a = {Si , S'2, . . . , Sn) is a ring signature on the set of users L generated 
with private key Sfc. All Si except Sk are taken randomly from Gi due to Si = aiP 
and Qi €r Zg. Sk is computed by these Gi, H{m) and Sk- Therefore, for fixed L 
and m, (S'!, S'2, ■ • ■ , S„) has | Gi possible values, all of which can be chosen 
by the signature generation procedure with equal probability and regardless of 
the signer. At the same time, the distribution {Si, S2, . . . , S„} is identical to 
the distribution {a\P, 02 P, . . . , o„P : ^iP = C'}, here C is element of Gi 

depend on L and m. So, for any algorithm A, any set of users L, and a random 
k G L, the probability Pr[^((r) = k] is at most 1 / | L |. 

Unforgeability. For the unforgeability, we have the following theorem: 

Theorem 5. If there exists a {t,qH,qsTp)~forger T algorithm that ean produce 
a forgery of a ring signature on a set of users of size n, then there exists a 
{t' ,e')~ algorithm A that can solve qs-CAA, where 

t ^ t -t- (3 -t- qs)'kltsm 2(71 ^)tadd {kl “t” {kl Pjtinvi 



qH qn - qs 

Here, tsm is the time of one point scalar multiplication in Gi, tadd is the time of 
one addition in Gi, tinv is the time of one inversion in Z^ and tmu is the time 
for one multiplications in Z^ . 

Proof. We adopt the security model of Rivest, Shamir and Tauman. Consider 
the following game played between an adversary and a challenger. The adversary 
is given the public keys Pi , . . . , P„ of a set of users U , and is given oracle access 
to H and a ring-signing oracle. The goal of the adversary is to output a valid 
ring signature for U of a message m subject to the condition that m has never 
been presented to the ring-signing oracle. 

Suppose that there exists a (t, qH,qs, e)-forger T algorithm that can produce 
a forgery of a ring signature on a set of users of size n. We will use T to construct 
an algorithm A to solve qs-CAA. Suppose that A is given a challenge: Given 
P G Gi, Q = xP, hi,h2, ■..,hq G Zg, and 77^ P, h^P, • • • , compute 

j^P for some h ^ {hi, ...,hq }. 
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~ Setup: A plays the role of the real signer and picks oi = 1 , 02 , . . . , at 
random from Zg and sets 

Pi = Q, F 2 = U 2 Q + h{a2 - 1)P, . . . , Pn = anQ + h{an - l)P- 



Here, we assume that the number of users n is an odd number. A prepares 
qh respondences {wi,W 2 , . ■ . ,Wg } of hash oracle queries. h\, . . . ,hq and h 
are distributed randomly in this respondences set. 

— Hash queries: F is given the public keys Pi, P 2 , . ■ . , Pn- F makes a hash 
oracle query on for 1 < i < q//. ^ sends Wi to F as the respondence of 
hash oracle query on m^. 

— Signing queries: F makes a ring signature oracle query for Wi. If Wi = hj, 
A returns 

Si2, . ■ ■ , 

to F as the signing result. Here 



hj + X 



hj + X 



1 1 

5.1 = (1 - - l)-i) • ^--P =(!-«)• . P 

1^2 

5 . 2 = (a 2 -l)-i--^^P 

hj + X 



Sa = i-lYiai - l)-i • -^P 

hj + X 



Sin = (a„ - 1) ^ — P 

hj + X 

From the construction of Su, we can verify that can pass the ring verifi- 
cation: 

n 

Y[e{H{mi)P + Pi, Sii) 

1=1 

= e{hjP + Q, — — ■ — P) TT e{hjP + aiQ + h{ai — 1)P, ^ — P) 

hj + X hj + X 

= e(P, n e{h,P + Q+{ai- 1)Q + h{ai - 1)P, ' P) 

1=2 ^ ^ 

= e(P, f[ e{h,P + Q, - 1)(Q + hP), 

hj + X 

n 



{Due to n he an odd number) 
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Otherwise, the process stops and A reports failure. 

— Output: Eventually T outputs a message-signature pair (m, ct = {Si,S 2 , 

. . . , S'n}) for ring public keys Pi, P 2 , . . . , Pn, here the hash value of m is some 
wi such that no signature query was issued for m.li wi ^ h, then A reports 
failure and terminates. Otherwise, 

n n 

JJe(i/(m)P + Pi, Si) = Y[e{hP + a^Q + h{a^ - 1)P, Si) = e(P, P). 

i=l 

Hence 

n n n 

'^e{aihP + aiQ,Si) = '^e{hP + Q,a^Si) = e{hP + Q,'^a^Si) = e{P,P). 
2=1 2=1 2=1 

Then A outputs the required as 

A will not fail with probability (|— )'^ • ^ • e (For all signature oracle 

queries, A will not fail with probability p > (^)'^ . In Output, the probability 
oi wi = h is — I — ). 

In Setup, there are n — 1 multiplications in Z^, n — 1 additions and 2n scalar 
multiplications of Gi. There are nqs scalar multiplications of Gi and n — 1 in- 
versions over Zq in ^’s signature queries, and n scalar multiplications n — 1 
additions of Gi in Output. We denote tsm the time of one scalar multiplication 
in Gi, tadd the time of one addition in Gi, tinv the time of one inversion in Zg 
and tmu the time of one multiplications in Zg. So ^’s running time t' is iF’s 
running time plus {^ti — t— tiqq — t— Ti^tsTn 2(tz ^^iadd (^ I)^ mu (jq 

i.e., t ^ t -t- (3 -f QS^^^sm 2(tZ ^^tadd GI 

Note that when n = 1, this ring signature scheme is the basic signature 
scheme. 

6 Delegation of Right and Proxy Signatnres 

Assume that there are two participants, one called original signer with public key 
PKo and secret key So, the other called proxy signer with public key PKp and 
secret key Sp, they have the common system parameters: {Gi, G 2 , e, q, P, H}. We 
describe the delegation in detail as follows: 

— The original signer makes a warrant w. There is an explicit description of 
the delegation relation in the warrant w. 

— The original signer computes So^ = (so + H{w))~^PKp, and sends w and 
Sow to proxy signer. 

— The proxy signer checks if e(i2 {w)P + PKo, Sow) = e{P, PKp), if it is right, 
then computes = SpSow 



Sw satisfies: e{H{w)P + PKo, Sw) = e{PKp, PKp). 




288 



Fangguo Zhang, Reihaneh Safavi-Naini, and Willy Susilo 



No one can forge an Sw' of a warrant w' , since there are two signatures 
on a warrant: First, the original signer uses the signature scheme in Section 3 
to sign the warrant, and then, the proxy signer will use BLS short signature 
scheme to sign it, these two signature schemes are secure. On the other hand, 
the above delegation does not require the secure channel for the delivery of the 
signed warrant by the original signer, i.e., the original signer can publish w 
and Sow More precisely, any adversary can get the original signer’s signature 
on warrant w. Even this, the adversary cannot get the S^j of the proxy signer, 
because should satisfy e{H{w)P+PKo, S^) = e{PKp, PKp), and e{H{w)P+ 
PKo, Sow) = e(P, PKp). From P, So^ and PKp to get this is CDHP. 

The above delegation is a partial delegation with warrant [15]. It is can be 
regarded as the generation of the proxy key in proxy signature. The proxy secret 
key is Sw, and the proxy public key is PK^ + PKp. Then the proxy signer can 
uses any ID-based signature schemes and ID-based blind signature schemes from 
pairings (takes the ID public key as H 2 {w)) and secret key as Sw, the public 
key of PKG as PKo + PKp) to get proxy signature and proxy blind signature 
schemes. 

Next, we give two applications of above delegation method in proxy signature: 
designing proxy signature scheme and a proxy blind signature scheme. We only 
describe the schemes without security analysis. 

A Proxy Signature Scheme 

Proxy signatures are very useful tools when one needs to delegate his/her 
signing capability to other party [15, 16]. Using above delegation, we give a new 
proxy signature scheme. 

Setup: Define another cryptographic hash function: Hi : {0,1}* x Gi ^ Z*. 
The system parameters params = |Gi, G 2 , e, g, P, i/, i/i|, the original signer 
has public-secret key pair {PKo, So), the proxy signer has public-secret key pair 

{PKp,Sp). 

Generation of the proxy key: The proxy signer receives a proxy key Sw using 
above delegation protocol. 

Signing: For a message m, choose a random number r S Z*, compute U = 
r ■ {H{w)P + PKo). Compute h = Hi{m\\U) and V = {h + r)~^Sw- The proxy 
signature on m is (C/, U, w). 

Verification: Verify that 

e{U + Hi{m\\U){H{w)P + PKo), V) = e{PKp, PKp). 

A Proxy Blind Signature Scheme 

Proxy blind signature is considered to be the combination of proxy signature 
and blind signature, so, it satisfies the security properties of both the blind sig- 
nature and the proxy signature. Such signature is suitable for many applications 
where the users’ privacy and proxy signature are required. Now, we give a new 
proxy blind signature scheme. 

Setup: Same as above proxy signature scheme. 

Generation of the proxy key: The proxy signer receives a proxy key Sw- 
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Proxy blind signature generation: Suppose that m is the message to be 
signed. 

— The proxy signer randomly chooses a number r Gr Z*, computes U = r ■ 
{H{w)P + PKo), and sends U and the warrant w to the user. 

— (Blinding) The user randomly chooses a, (3 Gr Z* as blinding factors. He/She 
computes U' = all + aP{H{w)P + PKo) and h = a~^Hi{m\\U') +/3, sends 
h to the signer. 

— (Signing) The signer sends back V, where V = {r + h)~^Sw 

— (Unblinding) The user computes V = a~^V and outputs (m, U' , V). 

Then ([/', V , w) is the proxy blind signature of the message m. 

Verification: A verifier accepts this proxy blind signature if and only if 

e(U' + Hi{m\\U'){H{w)P + PKo),V') = e{PKp,PKp). 

7 Conclusion 

In this paper, we proposed a new short signature scheme that is more efficient 
than BLS scheme. The security of this signature scheme depends on a new prob- 
lem, namely k-CAA or fc -I- lEP. It is shown that k + lEP is no harder than 
the CDHP. Based on this basic signature scheme, a ring signature scheme and 
a new method for delegation are proposed. 
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Abstract. Bellare, Boldyreva, Desai, and Pointcheval [1] recently pro- 
posed a new security requirement of the encryption schemes called “key- 
privacy.” It asks that the encryption provide (in addition to privacy of 
the data being encrypted) privacy of the key under which the encryption 
was performed. Incidentally, Rivest, Shamir, and Tauman [2] recently 
proposed the notion of ring signature, which allows a member of an 
ad hoc collection of users S to prove that a message is authenticated by 
a member of S without revealing which member actually produced the 
signature. 

We are concerned with an underlying primitive element common to the 
key-privacy encryption and the ring signature schemes, that is, families 
of trap-door permutations with a common domain. For a standard RSA 
family of trap-door permutations, even if all of the functions in a family 
use RSA moduli of the same size (the same number of bits), it will have 
domains with different sizes. In this paper, we construct an RSA fam- 
ily of trap-door permutations with a common domain, and propose the 
applications of our construction to the key-privacy encryption and ring 
signature schemes, which have some advantage to the previous schemes. 

Keywords: RSA, trap-door permutations, key-privacy, anonymity, en- 
cryption, ring signature 



1 Introduction 

Bellare, Boldyreva, Desai, and Pointcheval [1] recently proposed a new security 
requirement of the encryption schemes called “key-privacy.” It asks that the en- 
cryption provide (in addition to privacy of the data being encrypted) privacy 
of the key under which the encryption was performed. The standard RSA en- 
cryption does not provide key-privacy. Since even if two public keys Nq and N\ 
(Aq < A^i) are the same bits, A^i — Nq may be large. In [I], they provided the 
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key-privacy encryption scheme, RSA-RAEP, which is a variant of RSA-OAEP 
(Bellare and Rogaway [3], Fujisaki, Okamoto, Pointcheval, and Stern [4]), and 
solved this problem by repeating the evaluation of the RSA-OAEP permuta- 
tion f(x,r) with plaintext x and random r, each time using different r until 
the value is in the safe range (See section 3.2.). For deriving a value in the safe 
range, the number of the repetition would be very large (the value of the security 
parameter) . 

Incidentally, Rivest, Shamir, and Tauman [2] recently proposed the notion 
of ring signature, which allows a member of an ad hoc collection of users S to 
prove that a message is authenticated by a member of S without revealing which 
member actually produced the signature. Unlike group signature, ring signature 
has no group managers, no setup procedures, no revocation procedures, and no 
coordination. The signer does not need the knowledge, consent, or assistance of 
the other ring members to put them in the ring. All the signer needs is knowledge 
of their regular public keys. They also proposed the efficient schemes based on 
RSA and Rabin. In their RSA-based scheme, the trap-door RSA permutations 
of the various ring members will have domains of different sizes. This makes it 
awkward to combine the individual signatures, so one should construct some 
trap-door one-way permutation which has a common domain for each user. In- 
tuitively, in the ring signature scheme, Rivest, Shamir, and Tauman solved this 
by encoding the message to an A^j-ary representation and applying a standard 
permutation / to the low-order digits (See section 4.2.). As mentioned in [2], for 
deriving a secure permutation g with a common domain, the domain of g would 
be 160 bits larger than that of /. 

In this paper, we will take a different approach. We use neither the repetition 
of evaluation of a permutation nor an Ni-axy representation. We are concerned 
with an underlying primitive element common to the key-privacy encryption and 
the ring signature schemes, that is, families of trap-door permutations with a 
common domain. For a standard RSA family of trap-door permutations denoted 
by RSA, even if all of the functions in a family use RSA moduli of the same size 
(the same number of bits), it will have domains with different sizes. We construct 
an RSA family of trap-door permutations with a common domain denoted by 
RSACD, and prove that the 0-partial one-wayness of RSACD is equivalent to 
the one-wayness of RSACD for 6 > 0.5, and that the one-wayness of RSACD 
is equivalent to the one-wayness of RSA. Fujisaki, Okamoto, Pointcheval, and 
Stern [4] showed that the 0-partial one-wayness of RSA is equivalent to the 
one-wayness of RSA for 6 > 0.5. Thus, the following relations are satisfied for 
9 > 0.5. 



RSA is 0-partial one-way 



RSACD is 0-partial one-way 




[this paper] 



[this paper] 



RSA is one-way 



RSACD is one-way 



We then propose the application to the key-privacy encryption scheme. Our 
proposed scheme is more efficient than the previous scheme with respect to the 
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number of exponentiations for encryption in the worst case. When we use the 
RSA moduli which is uniformly distributed in (2^“^,2^), the expected number 
of our scheme is the same as that of RSA-RAEP. In our scheme, the number of 
exponentiations for encryption is at most two, while in RSA-RAEP, the upper 
bound of this number is fci (;?> 2, security parameter). 

We also propose the application to the ring signature scheme. We consider the 
case that the members of the same group use the RSA moduli of the same length. 
In our scheme, the domain of trap-door one-way permutation to sign and verify a 
ring signature is {0, 1}^, while that of the previous scheme is {0, 1 }^+ 160 ^ where 
k is the length of the RSA moduli. Thus, we can reduce the size of signature in 
this situation. 

The organization of this paper is as follows. In Section 2, after reviewing the 
definitions of families of functions and the standard RSA family, we propose the 
RSA family of trap-door permutations with a common domain. We also prove 
that the 6*-partial one-wayness of RSACD is equivalent to the one-wayness of 
RSACD for 6 > 0.5, and that the one-wayness of RSACD is equivalent to the 
one-wayness of RSA. In Section 3, we propose the application of our new family 
to the key-privacy encryption scheme. In Section 4, we propose the application 
of our new family to the ring signature scheme. We conclude in Section 5. 

2 An RSA Family of Trap-Door Permutations with a 
Common Domain 

2.1 Preliminaries 

In this section, we briefly review the definitions of families of functions, and the 
standard RSA family of trap-door permutations denoted by RSA. 

Definition 1 (families of functions [1]). A family of functions F = (K, S, E) 

is specified by three algorithms. 

— The randomized key-generation algorithm K takes as input a security pa- 
rameter fc G N and returns a pair {pk, sk) where pk is a public key and sk 
is an associated secret key. (In cases where the family is not trap-door, the 
secret key is simply the empty string.) 

— The randomized sampling algorithm S takes input pk and returns a random 
point in a set that we call the domain of pk and denote by Domp^pk). 

— The deterministic evaluation algorithm E takes input pk and a point x G 
Dompipk) and returns an output we denote by Epk{x). We let RngiT’(pfc) = 
{Epk{x) I X G Domi^’(pfc)} denote the range of the function Epkf). 

Definition 2 (families of trap-door permutations [1]). We say that F is a 
family of trap -door functions if there exists a deterministic inversion algorithm I 
that takes input sk and a point y G Ungpfpk) and returns a point x G Domp^pk) 
such that Epk{x) = y. We say that F is a family of trap-door permutations if 
F is a family of trap-door functions, Dompfpk) = Rng^(pfc), and Epk is a 
permutation on this set. 
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We describe the definition of 0-partial one-way. 

Definition 3 (6*-partial one-way [1]). Let F = (K,S,E) be a family of func- 
tions. Let b G {0, 1} and k G be a security parameter. Let 0 < 9 < 1 be a 
constant. Let A be an adversary. Now, we consider the following experiments: 

Experiment 

{pk, sk) ^ K{k) 

a^i||a ;2 ^ DomF{pk) where |xi| = \9 ■ |(a;i||a:2)n 

y ^ Epk{xi\\x 2 ) 

x'.^ ^ A{pk,y) where \x\ \ = \x\\ 

for any x '2 if Ep^ix'^Wx^) = y then return 1 

else return 0 

We define the advantages of the adversary via 

= Pr[Exp^7j>°"'-f“(A:) = 1] 

where the probability is taken over (pk,sk) K{k), a;i||a :2 <— Domplypk), and 
the coin tosses of A. We say that the family E is 9-partial one-way if the func- 
tion negligible for any adversary A whose time complexity is 

polynomial in k. Ln particular, we say that the family F is one-way when F is 
1-partial one-way. 

We now describe the standard RSA family of trap-door permutations. 

Definition 4 (the standard RSA family of trap-door permutations [1]). 

The specifications of the standard RSA family of trap-door permutations RSA = 
{K, S, E) are as follows. The key generation algorithm takes as input a security 
parameter k and picks random, distinct primes p, q in the range < p,q < 

2'=/2. (Lfk is odd, increment it by 1 before picking the primes.) Lt sets N = pq. 
(i.e. < N < 2^.) Lt picks e,d G that ed = 1 (mod 4>{N)) 

where 4>{N) = {p — l){q — 1). The public key is N,e,k and the secret key is 
N,d,k. The sets Dom.RSA{N, e, k) and RngRSA(A, e, fc) are both equal to Z^f. 
The evaluation algorithm Eiq,e,k{x) = x® mod N and the inversion algorithm 
lN,d,k{y) = y'^ mod N. The sampling algorithm returns a random point in Ufj. 

Fujisaki, Okamoto, Pointcheval, and Stern [4] showed that the 0-partial one- 
wayness of RSA is equivalent to the one-wayness of RSA for 9 > 0.5. 



2.2 The Construction of RSACD 

In this section, we propose the RSA family of trap-door permutations with a 
common domain denoted by RSACD. 

Definition 5 (the RSA family of trap-door permutations with a com- 
mon domain). The specifications of the RSA family of trap- door permutations 
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Fig. 1. Function fN,e,k and gN,d,k 



with a common domain RSACD= {K, S, E) are as follows. The key generation al- 
gorithm is almost the same as that for RSA family. The difference is picking two 
distinct primes p, q such that < p,q < 2^/^ and < pq < 2^. The sets 

DoniRSACD(A ^5 e, k) and RngRSACD(A^, e, k) are both {a; | a; G [0, 2^) A x mod N G 
Z^}. The sampling algorithm returns a random point in DomRSACD(A^, e, fc). 
The evaluation algorithm E]\[^e,k{x) = fN,e,k{x) and the inversion algorithm 
lN,d,k{y) = 9N.d,k{y) are as follows (See Figure 1.). 



Function fN,e,k{^) 

U ^ fh,e,kl^y^ V ^ PN,e,ki.'^) 

y ^ /w.e.fcM 

return y 
Function 

if {x < N) u <— a;® mod N 
else u *— X 
return u 

Function 

if {u < 2'^ — N) V ^ u N 
elseif (2^ — N < u < N) v ^ u 
else V ^ u — N 
return v 

Function 

if {v < N) y <— n® mod N 
else y *— V 
return y 



Function gN,d,k{v) 

^ 9N,d,k(u) 

return x 

Function yjv,d,fc(j/) 

if (y < N) V ^ y®* mod N 
else V *— y 
return v 

Function 9%,d,ki'<^) 

if {v <2^ — N) u V -\- N 
elseif (2^ — N < v < N) u ^ v 
else u V — N 
return u 

Function 9%,d,k(u) 

if {u < N) X ^ u‘^ mod N 
else X *— u 
return x 



The choice of N from (2^ 2^) ensures that all elements in DomRSACD(A^, e, k) 

are permuted by the RSA function at least once. 
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2.3 Properties of RSACD 

In this section, we prove that the 0-partial one-wayness of RSACD is equivalent 
to the one-wayness of RSACD for 6 > 0.5, and that the one-wayness of RSACD 
is equivalent to the one-wayness of RSA. 

Theorem 1. Let A be an algorithm that outputs the k — ko most significant 
bits of the pre-image of its input y G RngRSACD(A^, e, fc) for 2^“^ < N < 2^ 
with k > 2ko (i.e. A is a {{k — ko) /k)- partial inverting algorithm for RSACD 
with k > 2ko), with success probability e = where 9 = (k — 

ko)/k > 0.5, within time bound t. There exists an algorithm B that outputs a pre- 
image of y (i.e. B is an inverting algorithm for RSACDj with success probability 
e' — within time bound t' where 

£'>■^•(1-22'=°-'=+^), t'<2t + 0{k^). 

To prove this theorem, we use the following lemma proved in [4] . 

Lemma 1 ([4]). Consider an equation at -\- u = c (mod N) which has solu- 
tions t and u smaller than 2^° . For all values of a, except a fraction 
of them, {t,u) is unique and can be computed in time 0((logA)^). (We say “a 
is a good value” when we can solve the above equation.) 

Proof (Theorem 1). We construct the algorithm B to compute a pre-image of 
y G RngR 5 ^(;Q(iV, e, k), then we analyze this algorithm and evaluate the success 
probability and the running time of B. 

Algorithm B{{N, e, k), y) 

a ^ ’Em] pow {1, 2}; c {0, 1} 

Vtemp ^ya mod N 
y ^ ytemp 

elseif (0 < <2^ - N) y' ^ -k N 

else return fail 

t ^ A{y)- z' ^ A(y') 

find ( r, s) s.t. ar — s = {z' — za) ■ 2^° (mod N) 

X ^ z - 2^° -\-r 

return x 

Analysis 

For y G RngRSACD(A, e, k) and x = gN,d,k{y), {x, y) satisfies one of the following 
equations. 

(1) y = x^ (mod N) (2) y = (mod N) 

We say type{y) = 1 (respectively type{y) = 2) if {x, y) satisfies equation 1 (resp. 
equation 2). 

After step 1, if B does not output fail, then y' is uniformly distributed over 
RngRSACo(A, e, /c), and for y' and x' = gN,d,k{y'), {x',y') satisfies one of the 
following equations. 



[step 1] 

set a, pow, y' 



} [step 2] run A 
1 [step 3] 

j compute gN,d,k{y) 
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(!') y' = {x'Y (mod N) (2') y' = (a;')"' (mod N) 

We say type{y') = 1 (respectively type{y') = 2) if {x',y') satisfies equation 1' 
(resp. equation 2'). 

After step 2, if A outputs correctly, namely, z is the k — ko most significant bits 
of X and z' is the k — ko most significant bits of x' , then x = z ■ + r and 

x' = z' ■ 2^° -I- s for some (r, s) where 0 < r, s < 2^“. Furthermore, if type{y) = 
type{y') = pow, then y = x^ (mod N) and y' = (x')® (mod N). Since 
y' = y ■ (mod N) and gcd(eP°"', A^) = 1, we have x' = ax (mod N). 

Thus, 

z' +s = a-{z-2^° + r) (mod N) 
ar — s = {z' — za) • 2'=« (mod N) 

where 0 < r, s < 2^“. If a is a good value, algorithm B can solve this equation 
in step 3 (Lemma 1), and outputs x = z ■ + r. 

Now, we analyze the success probability. We define the following events: 



— Fail : B outputs fail in step 1, 

— GV : a is a good value, 

- Typel : type(y) = type{y') = 1, 

- Type2 : type{y) = type{y') = 2, 

~ SucA : A{y) and A{y') are correct. 



We have e = Pr[A(y) is correct A type{y) = 1] -F Pr[A(y) is correct A type{y) 
= 2] where y is uniformly distributed over RngRSACD(A^, e, k). Thus, 

Pr[A(y) is correct A type{y) = ^ Pr[^(l/) is correct A type{y) = 2] > ^. 

If B does not output fail in step 1, then y' is uniformly distributed over 
RngRSACD{N,e,k). Therefore, 

2 2 
Pr[SucA A Typelj^Fail] > ^ or Pr[SucA A Type2|^Fail] > ^. 

If A{y) and A{y') are correct, type{y) = type{y') = pow, and a is a good value, 
then B outputs correctly. Since Pr[^Fail] > Pr[c = 1] = 1/2, Pr[pow = 1] = 
Pr[pow = 2] = 1/2, and Pr[GV]> 1 — > 1 — we have 



e' > Pr[SucA A type{y) = type{y') = pow A a is a good value] 

> Pr[GV] X Pr[^Fail] x Pr[SucA A type{y) = type{y') = powj^Fail] 

> i . (1 _ 22fco-fc+7) X (Pr[SucA A Typel A pow = Ij^Fail] 

-F Pr[SucA A Type2 A pow = 2|^Failj) 

= i . (1 _ 22fco-fc+7) X (Pr[pow = 1] X Pr[SucA A Typelj^Fail] 

-F Pr[pow = 2] X Pr[SucA A Type2|^Failj) 







We estimate the running time of B. B runs A twice. B can solve ar — s = 
(z' — za) ■ 2^° (mod N) in time 0{k^). Therefore, t' <2t + 0{k^). □ 
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Theorem 2. If RSA is one-way, then RSACD is one-way. 

Proof. We prove that if there exists a polynomial-time inverting algorithm A for 
RSACD with non-negligible probability e = then there exists 

a polynomial-time inverting algorithm D for RSA with non-negligible probability 
e' = We specify the algorithm D to compute a pre-image of 

Y G RngRSA(A,e,fc). 

Algorithm D{{N, e, k), Y) 
if < TV < 2'=-!) return fail 

else 

c<^{0,l} 

if (c=0) y^Y; A{{N,e,k),y); u ^ fh,e,ki^)'^ ^ ^ X 

elseu^F; v ^ ^ ^ ^ M(X,e,k),y); X^x 

return X 



Now, we analyze the advantage of D. Let Fail be the event that D outputs fail 
and A = Pr[^Fail]. It is clear that A is non-negligible. In the following, Pri[-] 
denotes Pr[-|^Fail]. If I? does not output fail and A outputs correctly, then D 
outputs correctly (See Figure 1). Therefore, 

e' > Pr[^Fail] • (Pri[c = 0 A A{{N,e,k),Y) is correct] 

-FPri[c=l A A{{N,e,k),Z) is correct]) 

> • (Pri[A((A^, e, fc), F) is correct] 

-\-Vri[A{{N,e,k),Z) is correct A N < Z < 2^]). 

where Z = /|r,e,fc(/^,e,fc(^))- We have 

Pri[A((iV, e, A:), F) is correct] = Pri[A{{N,e,k),y) is correct ] 0 < y < N] 

> Pri[A((A^, e, fc),y) is correct A 0 < y < A^]. 



Furthermore, we have Pri [iV < Z < 2^] > Pri [A < y < 2^] where F is uniformly 
distributed over and y is uniformly distributed over Rngp 5 ^(-Q(A, e, k), since 
Pri [A < Z < 2^=] = Pri[0 < F < 2^= - A] and JZ;^] < ]RngRSACD(A, e, A:)]. Since 
Pri[Gl((A, e, k), Z) is correct j A < Z < 2^] = Pri[A((A, e, k),y) is correct ] A < 
y < 2^] , we have 

Pri[A((A, e. A;), Z) is correct A A < Z < 2^] 

> Pri[T((A, e, A;),y) is correct A A < y < 2^]. 



Therefore, 



e' > • (Pri[T((A, e, k), y) is correct A 0 < y < A] 

+ Pri[T((A,e, A;), y) is correct A A < y < 2^]) 

= • Pri[T((A, e, A;),y) is correct] = ' e 



□ 



It is clear that if RSACD is one-way then RSA is one-way. Thus, the one-wayness 
of RSACD is equivalent to the one-wayness of RSA. 
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3 Application to Key-Privacy Encryption 



3.1 Definitions of Key-Privacy 

The classical security requirements of an encryption scheme, for example indis- 
tinguishability or non-malleability under the chosen-ciphertext attack, provide 
privacy of the encryption data. In [1], Bellare, Boldyreva, Desai, and Pointcheval 
proposed a new security requirement of encryption schemes called “key-privacy.” 
It asks that the encryption provide (in addition to privacy of the data being en- 
crypted) privacy of the key under which the encryption was performed. 

In a heterogeneous public-key environment, encryption will probably fail to 
be anonymous for trivial reasons. For example, different users might be using 
different cryptosystems, or, if the same cryptosystem, have keys of different 
lengths. In [I], a public- key encryption scheme with common- key generation is 
described as follows. 



Definition 6. A puhlic-key encryption scheme with common-key generation 
VE = {Q, /C,£,I?) consists of four algorithms. 

— The common-key generation algorithm Q takes as input some security pa- 
rameter k and returns some common key I. 

— The key generation algorithm 1C is a randomized algorithm that takes as 
input the common key I and returns a pair (pk, sk) of keys, the public key 
and a matching secret key. 

— The encryption algorithm £ is a randomized algorithm that takes the public 
key pk and a plaintext x to return a ciphertext y. 

— The decryption algorithm T> is a deterministic algorithm that takes the secret 
key sk and a ciphertext y to return the corresponding plaintext x or a special 
symbol _L to indicate that the ciphertext was invalid. 



In [I], they formalized the property of “key-privacy.” This can be considered 
under either the chosen-plaintext attack or the chosen-ciphertext attack, yielding 
two notions of security, IK-CPA and IK-CCA. (IK means “indistinguishability 
of keys” .) 



Definition 7 (IK-CPA, IK-CCA[1]). LetVS = {G,K.,£,T>) be an encryption 
scheme. Let b € {0, 1} and k Let Apa, Acca be adversaries that run in two 
stages and where Acca. has access to the oracles Vskoi') and VskA')- Note that si 
is the state information. Lt contains pko,pki, and so on. Now, we consider the 



following experiments: 

Experiment 

I ^ G{k) 

{pko,sko)^IC{iy, {pki,ski)^IC{I) 
(x,si) ^ Acpa(find,pfco,pA:i) 
y ^ £pk {x) 

d ^ Acpa(guess,y, si) 
return d 



Experiment Exp^^ 

I^G{k) 

{pko,sko)^K.{Ly, {pki,ski)^K.{I) 
(x,si) ^ ^^'\f\nd,pko,pki) 

y ^ £pk {x) 

^ (guess, y, si) 

return d 
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Above it is mandated that Acca never queries T>sko (■) O'^d T>ski (•) on the challenge 
ciphertext y. For atk G {cpa, cca} we define the advantages via 



Adv“,(A) 



Pr[Exp“-i(ft) = 1] -Pr[Exp“-°(ft) = 1] . 



The scheme VS is said to he IK-CPA secure (respectively IK-CCA secure) if the 
function Adv^^ (resp. Adv ^^ is negligible for any adversary A 
whose time complexity is polynomial in k. 



The “time-complexity” is the worst-case execution time of the experiment plus 
the size of the code of the adversary, in some fixed RAM model of computation. 



3.2 RSA-RAEP by Bellare, Boldyreva, Desai, and Pointcheval 

A simple observation that seems to be folklore is that standard RSA encryption 
does not provide key-privacy, even when all moduli in the system have the same 
length. Suppose an adversary knows that the ciphertext y is created under one 
of two keys (Ao,eo) or (Ai,ei), and suppose Aq < Nx. If j/ > Aq then the 
adversary bets it was created under (Ai,ei), else it bets it was created under 
(Aq, eo). It is not hard to see that this attack has non-negligible advantage. 

In [I], they proposed an RSA-based encryption scheme which is secure in the 
sense of IK-CCA. It is RSA-RAEP which is a variant of RSA-OAEP. Since their 
variant chooses A from 2^), it simply repeats the ciphertext computation, 

each time using new coins, until the ciphertext y satisfies y < 2^“^. 



Definition 8 (RSA-RAEP [1]). RSA-RAEP = {Q,K.,£,'D) is as follows. The 
common-key generation algorithm Q takes a security parameter k and returns 
parameters k, ko and k\ such that ko{k)-\-ki{k) < k for all k > 1. This defines an 
associated plaintext-length function n{k) = k — ko{k) — ki{k) . The key generation 
algorithm K. takes k,ko,k\, runs the key- generation algorithm of RSA, and gets 
(A, e) and (N,d). The public key pk is {N,e),k,ko,ki and the secret key sk 
is (A, d), fc, fco, fci . The other algorithms are depicted below. Let G : {0,1}^° ^ 
{0, and H : {0, ^ {0,1}^”. Note that [x]" denotes the n most 

significant bits of x and [x]m denotes the m least significant bits of x. 



Algorithm S^f.^ {x) 
ctr = — 1 
repeat 
ctr ^ ctr -\- 1 

{ 0 , 1 }'=« 

s ^ (x II 0^^) 0 G(r); t <— r 0 iJ(s) 
V ^ (s||t)® mod A 
until ((x < 2^~^) V (ctr = ki)) 
if {ctr = ki) y ^ 1| | |x 
else y ^ 0||x 



Algorithm vf^^{y) 

b ^ [yfi; V ^ [y]ko+ki-kn 
if (6= 1) 

if {w = z <— X else z ^_L 

else 

r <— t 0 H{.s) 

X ^ [s 0 G(r)]”; p ^ [s 0 G{r)]k^ 
if {p = 0^^) z ^ X else z <— _L 
return z 



return y 
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They proved RSA-RAEP is secure in the sense of IND-CCA2 and IK-CCA in 
the random oracle model assuming RSA is one-way. In RSA-RAEP, the expected 
number of exponentiations for encryption is 



fei 






■)k-2 



N 



■)k-2 



N 



1 - (1 

P 






where p = Suppose that N is uniformly distributed in (2^“^,2^), the 

expected number of this scheme is two. However, the upper bound of the number 
of exponentiations for encryption is 2, security parameter). 



3.3 Our Proposed Encryption Scheme 



In this section, we propose our encryption scheme, which uses RSACD instead 
of RSA. 



Definition 9. The common-key generation algorithm Q, and the oracles G and 
H are the same as RSA-RAEP. The key generation algorithm K. is almost the 
same as RSA-RAEP. The difference is running the key-generation algorithm of 
RSACD instead o/RSA. The other algorithms are described as follows. Note that 
the valid ciphertext y satisfies y G [0,2^) and y mod N G Iffj. 



Algorithm £pf^{x) 

(x II 0'=i)©G(r) 
t ^ r ® H{s) 

V ^ /Af.e.fc(s||t) 

return y 



Algorithm Vff^iy) 

s ^ [gN,d,k{y)r~^’'^; t ^ [gN,dAv)]ko 

r <— t © iJ(s) 

X ^ [s © G(r)]”; p ^ [s © G(r)]fci 
if {p = 0^^) z ^ X else z ^_L 
return z 



Using Theorem 1 and 2, we can prove the following theorem. 



Theorem 3. Our scheme is secure in the sense of IND-CCA2 and IK-CCA in 
the random oracle model assuming RSA is one-way. 

Proof (Idea). Fujisaki, Okamoto, Pointcheval, and Stern [4] proved OAEP with 
partial one-way permutation is secure in the sense of IND-CCA2. Thus, OAEP 
with fN,e,k is secure in the sense of IND-CCA2 assuming RSACD is partial one- 
way. 

Bellare, Boldyreva, Desai, and Pointcheval [1] proved RSA-RAEP is secure 
in the sense of IK-CCA in the random oracle model assuming RSA is partial 
one-way. Noticing that the function fN,e,k and gN,d,k, and the domain of valid 
signature change, we can prove in a similar way that our scheme is secure in 
the sense of IK-CCA in the random oracle model assuming RSACD is partial 
one-way. 

Therefore, by Theorem 1 and 2, we can prove that our scheme is secure in the 
sense of IND-CCA2 and IK-CCA under the assumption that RSA is one-way. □ 
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In this scheme, the expected number of exponentiations in encryption is 






2k 



2k 



2k-i- 



Suppose that N is uniformly distributed in (2^“^,2^), the expected number 
of our scheme is two, the same as RSA-RAEP. In our scheme, the number of 
exponentiations for encryption is at most two, while in RSA-RAEP, the upper 
bound of this number is k\ 2, security parameter). Notice that we use the 
randomness only for an RSA-OAEP. 



4 Application to Ring Signature 

4.1 Definitions of Ring Signature 

In [2], Rivest, Shamir, and Tauman proposed the notion of ring signature, which 
allows a member of an ad hoc collection of users S to prove that a message 
is authenticated by a member of S without revealing which member actually 
produced the signature. Unlike group signature, ring signature has no group 
managers, no setup procedures, no revocation procedures, and no coordination. 

Definition 10 (Ring Signature [2]). One assumes that each user (called a 
ring member) has received (via a PKI or a certificate) a public key Pk, for which 
the corresponding secret key is denoted by Sk- A ring signature scheme consists 
of the following algorithms. 

— ring-sign(?n. Pi, P 2 , • • • , Pr, s, Ss) which produces a ring signature a for the 
message m, given the public keys P\, P 2 , • ■ ■ , Pr of the r ring members, to- 
gether with the secret key Ss of the s-th member (who is the actual signer). 

— ring-verify(m, (j) which accepts a message m and a signature a (which in- 
cludes the public key of all the possible signers), and outputs either “true” 
or “false”. 

The signer does not need the knowledge, consent, or assistance of the other 
ring members to put them in the ring. All he needs is knowledge of their regular 
public keys. Verification must satisfy the usual soundness and completeness con- 
ditions, but in addition the signature scheme must satisfy “signer-ambiguous”, 
which is the property that the verifier should be unable to determine the identity 
of the actual signer with probability greater than 1/r -|- e, where r is the size of 
the ring, and e is negligible. 



4.2 RSA-based Ring Signature Scheme by Rivest, Shamir, and 
Tauman 

In [2] , they constructed ring signature schemes in which all the ring member use 
RSA as their individual signature schemes. We review their scheme. 
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Let k, and b be security parameters. Let i? be a symmetric encryption 
scheme over {0, 1}** using £-hit keys and h be a hash function which maps ar- 
bitrary strings to ^-bit strings. They use h to make a key for E. They assume 
that each user has an RSA public key Pi = {Ni, a) which specifies the trap-door 
one-way permutation on : fi{x) = x® mod Ni. 

To sign and verify a ring signature, they proposed a combining function 
Ck,v based on a symmetric encryption scheme E modeled by a (keyed) random 
permutation 

Ck,v{yi,-- ■ ,Ur) = Ekivr © Ekiur-i © ’ ‘ ' Ek{y2 © Ekiyi © v)) • • •)) 

where v is an initialization value. In their scheme, the inputs yi to the combining 
function are computed as gi{xi) for some Xi G {0,1}^. They defined the extended 
trap-door permutation gi over {0, 1}** which has a common domain for each user 
as follows: for any 6-bit input Xi define nonnegative integers qi and so that 
Xi = QiNi + Xi and 0 < < Ni. Then 

/ i _ ( Q 2 Ni + fiin) a {q, + l)N, <2^ 
gi\Xi) <y otherwise. 

If 6 is sufficiently large (e.g. 160 bits larger than any of the Ni), gi is a one-way 
trap-door permutation. (See also [5].) 

A ring signature on a message m consists in a tuple {v,x\, - ■ ■ , Xr) and the 
signature is valid iff Ch(m),v(gi(xi), • • ■ , gr(xr)) = v. For any message m, any 
fixed values v and one can efficiently compute the value ys such that 

the combining function outputs v by using the following equation: 

y.s = E~^(ys+i 0 • ■■E~^(gr © E)7^(v)) • • •) © Ek{ys-i © • ■ ■ Ek{yi ©?;)•••). 

Now using her knowledge of the trap-door for function /g, s-th member (the 
actual signer) is able to compute Xs such that gsixs) = ys- Thus, the ring member 
can generate a valid signature. Rivest, Shamir, and Tauman proved this scheme 
is unconditionally signer-ambiguous and provably secure in the random oracle 
model assuming RSA is one-way. 

4.3 Our Proposed Ring Signature Scheme 

Unlike group signature, ring signature has no group managers, no setup proce- 
dures, no revocation procedures, and no coordination, and each user can use a 
public key whose length is different from other users. 

In [2], Rivest, Shamir, and Tauman mentioned the case that a member of the 
cabinet of some country wished to leak her secret to a journalist. In this kind 
of situation, it was reasonable to consider that the members of the same group 
use the RSA moduli of the same length. In our scheme, we assume the situation 
that each user chooses her public key with the same size. 

Our scheme is almost the same as the previous scheme. The difference is 
using /at ,e,fc(-) in Section 2.2 instead of gi{-) in Section 4.2. Then, the domain 
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of fN,e,k{') is {0,1}^, while that of the previous scheme is {0,1}^+^®°, where 
k is the length of the RSA moduli. Thus, we can reduce the size of signature 
in this situation. In particular, the size of signature of our scheme is 160 bits 
smaller than that of the previous scheme in order to archive security parameter 
k = 1024. In our scheme, the number of exponentiations is one or two, while 
that of the original scheme in [2] is one. Since /at ,e,fc(') is a trap-door one-way 
permutation as well as we can easily prove the following theorem in a 

similar way as for the previous scheme. 

Theorem 4. Our scheme is unconditionally signer- ambiguous and provably se- 
cure in the random oracle model assuming RSA is one-way. 

We can also apply this scheme to the Rabin-based ring signature scheme 
in [2] in a similar way. 

5 Conclusion 

In this paper, we have constructed the RSA family of trap-door permutations 
with a common domain and proposed the applications of our construction to the 
key-privacy encryption and ring signature schemes, which have some advantage 
to the previous schemes. It might be interesting to consider other applications of 
our RSA family, and different constructions of a family of trap-door permutations 
with a common domain. 
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Abstract. Though the mnltivariable cryptosystems first suggested by 
Matsumoto and Imai was defeated by the linearization method of Patarin 
due to the special properties of the Matsumoto-Imai (MI) cryptosystem, 
many variants and extensions of the MI system were suggested mainly 
by Patarin and his collaborators. In this paper, we propose a new vari- 
ant of the MI system, which was inspired by the idea of “perturbation”. 
This method uses a set of r (a small number) linearly independent linear 
functions Zi = X)j=i over the variables Xi, which are 

variables of the MI system. The perturbation is performed by adding 
random quadratic function of Zi to the MI systems. The difference be- 
tween our idea and a very similar idea of the Hidden Field Equation and 
Oil-Vinegar system is that our perturbation is internal, where we do not 
introduce any new variables, while the Hidden Field Equation and Oil- 
Vinegar system is an “external” perturbation of the HFE system, where 
a few extra (external) new variables are introduced to perform the per- 
turbation. A practical implementation example of 136 bits, its security 
analysis and efficiency analysis are presented. The attack complexity of 
this perturbed Matsumoto-Imai cryptosystem is estimated. 

Keywords: open-key, multivariable, quadratic polynomials, perturba- 
tion 



1 Introduction 

Since the invention of the RSA scheme, there has been great interest to seek 
new public key cryptosystems, which may serve us better for different purposes. 
One direction to look for such systems is based on multivariable polynomials, in 
particular, quadratic polynomials. This method relies on the proven theorem that 
solving a set of multivariable polynomial equations over a finite field, in general, 
is an NP-hard problem, which, however, does not guarantee the security. 

One of the basic ideas to design such a system was started by Matsumoto and 
Imai [MI], where they suggested to use a map F over a large field K, a degree 
n extension of a finite field k. Through identifying K as fc", first, one would 
identify this map F as a multivariable polynomial map from /c" to fc”, which we 



F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 305-318, 2004. 
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call F; then, one would “hide” this map F by composing from both sides by two 
invertible affine linear maps Li and L 2 on fc”. This gives a quadratic map 



F = L\ o F o L 2 



from /c” to /c" (by o, we mean composition of two maps). The map F suggested 
by Matsumoto and Imai is the map 

F : X I — > , 

where q is the number of elements in A:, X is an element in K and k is of 
characteristic 2. However this scheme was proven insecure under an algebraic 
attack using the linearization equations by Patarin [P] . 

Since then, there has been intensive developments by Patarin and his collab- 
orators to find all possible modifications and extensions of the Matsumoto-Imai 
systems, which are secure. Those ideas to directly extend the Matsumoto-Imai 
system can be divided into three groups in accordance with the method used. 

1) Minus-Plus method [CGPl]: This is the simplest idea among all, namely 
one takes out (Minus method, which was first suggested in [S]) a few of the 
quadratic polynomial components of F, and (or) add (Plus method) a few ran- 
domly chosen quadratic polynomials. The main reason to take the “Minus” ac- 
tion is due to security concerns. The Minus (only) method is very suitable for 
signature schemes. One of them is Sflash [ACDG, GGP], and it was recently ac- 
cepted as one of the final selections in the New European Schemes for Signatures, 
Integrity, and Encryption: IST-I999-I2324. 

2) Hidden Field Equation Method (HFE) [P]: This method is suggested by 
Patarin to be the strongest. In this case, the difference from the original Matsu- 
moto-Imai system is that F is replaced by the map (function) 

A B 

^ + c, 

ij i 



where the coefficients are randomly chosen and the total degree of F must be 
small, otherwise the decryption process will become too slow. However a new 
algebraic attack using both the Minrank method and the relinearization method 
by Kipnis and Shamir [KS] shows that the number A can not be too small, but 
if A is big, the system is too slow due to the process of solving the polynomial 
equation in the decryption process. This is further confirmed by [G, FJ]. 

3) Hidden Field Equation and Oil-Vinegar Method [GGP2]: After the Hidden 
Field Equation Method, it is suggested to combine the Hidden Field Equation 
Method with another new method, Oil-Vinegar method. The basic idea is, on top 
of the HFE method, to add a few new variables to make the system more com- 
plicated. This method is essentially to replace F with an even more complicated 
function: 
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F:{X,X)^ 

A B,B' A' B' B 

i,j i,j i,j i,j i,j 

where the new Vinegar variables given by the variable X is of a small dimension. 
One can see that these new variables are mixed in a special way with the original 
variables (like Oil and Vinegar). The decryption process requires an exhaustive 
search on these added small number of variables. For the signature case the 
search becomes a random selection, which has a good probability to succeed 
each time, and it continues until a correct answer is found. We recently observed 
that the attack in [KS] can also be applied here to actually eliminate the small 
number of added variables and attack the system. The basic idea is to use the 
algebraic method to find a way to purge out the Vinegar variables. 

After all the efforts mentioned above, it seems that all the possible exten- 
sions and generalizations of the Matsumoto-Imai system are exhausted, but our 
construction provides another alternative. 

The motivation for our work is to develop new constructions that could be 
strongly resistant to the algebraic attack [P, KS] and its extensions like XL, but 
without much sacrifice to the efficiency of the system. 

From a very general point of view, the third method above (the HFE and 
Oil-Vinegar method) can also be interpreted as an extension of a commonly used 
idea in mathematics and physics, perturbation. Namely a good way to deal with a 
continuous system often is to “perturb” the system at a minimum scale. The HFE 
and Oil-Vinegar method can be viewed as a perturbation of the HFE method by 
the newly added Vinegar variables. However, because of the “Oil-Vinegar” idea, 
this perturbation, in some sense, is more of an “external” perturbation, where a 
few extra (external) new variables (Vinegar) are introduced to do so. 

For our construction, the idea is very similar, nevertheless, what we suggest is 
rather an idea of “internal” perturbation. Our perturbation is performed through 
a small set of variables “inside” the space /c" (therefore they are “internal” 
variables) and we do not introduce any new variables. Namely given a quadratic 
multivariable system F over A:", we randomly find a surjective affine linear map 
Z from fc” to fc” with a small dimension r, then we try to “perturb” the system 
through the small number variables related to Z. 

This idea of internal perturbation is a very general idea that can be applied 
to all existing multivariable cryptosystems. 

A suitable example is the case of Matsumoto-Imai system. The perturbation 
is performed by two steps: 

I) first, we randomly choose r (small) linearly independent functions: 

n 

Zi — ^ ^ Oiij Xj -\- j3i , 

i 

where Xi are the variables of -F, which can be treated as components of a sur- 
jective affine linear map Z from to 




308 Jintai Ding 



2 ) then, we add randomly quadratic polynomial of zi to the components of 
F to define a new map F to replace F\ 

F {xi, ...,Xn) = {Fi{xi, ...,X„) + fl{zi, ..,Zr),F2{zi, ...,Z„') + f2(zi, ■■■,Zr'), ■■■ , 
F„(xi, ...,X„') + fn(zi, ■■;Zr')'). 

The rest is the same as that of the Matsumoto-Imai system. 

In this case, the third method above is not applicable here due to the fact 
that there are no linear terms to mix Oil and Vinegar. 

We will call our method hidden perturbation equation method due to the 
hidden equations that define the perturbation. 

The advantages of such new systems include the facts that they may be able 
to resist well existing algebraic attacks [KS, C], which may make the system 
very secure, and the internal perturbation makes the process of elimination of 
unnecessary candidates in the decryption process much faster. 

In the first section of the paper, we will introduce in detail the applica- 
tion of our general method to the Matsumoto-Imai cryptosystem. Then we will 
present a practical implementation example with 136 bits for the perturbation 
of a Matsumoto-Imai system, where we choose r to be 6. We will show that it 
should have a very high security level against all the known attacking methods. 
We will analyze the security and efficiency of the system and compare them with 
other multivariable cryptosystems with similar parameters. 

2 Perturbation of Matsumoto-Imai System 

2.1 The Original Matsumoto-Imai Cipher 

Let K be a degree n extension of a finite field k of characteristic 2 with q elements, 
and K = k[x]/g{x), where g{x) is a degree n irreducible polynomial over k. In 
general, the condition of characteristic 2 is not necessary, then we should modify 
the system slightly due to the multiplicity concern of the final map. 

Let 4 > be the standard k- linear map that identify K with fc": 

(/) : iL I — > A:”, 

such that 

4>{ao + aix + a2X^ H h = (ao, ai, 02 , • • • , a„_i). 



Let 

F{X) = , 

over K such that g.c.d.(l -I- 9*, g” — 1)= 1. 

F is an invertible map and its inverse is given by 

F~^{X) = X\ 



where t(l -|- g*) = 1 modulo (g" — 1). 




A New Variant of the Matsumoto-Imai Cryptosystem through Perturbation 309 



Let F be a map over fc” and 



F{xi,...,Xn) = (j)° F o(j) ^(xi,...,x„) 

— (Fi (xi , Xji ) , F 2 (^1 j ) 5 ‘ ’ 1 Fji (Xi , Xji ) ) . 

Here Fi(xi, ...,Xn) are quadratic polynomials of n variables. 

Let Li and be two randomly chosen invertible affine linear maps over fc”. 

F{xi,...,Xn) = LiO F O L2{xi,...,Xn) 

= {Fi{xi,...,Xn),F 2 {xi, ...,Xn), ■ ■ ■ ,F„(xi, ...,Xn)) 

is the cipher suggested by Matsumoto-Imai, which was defeated by the algebraic 
attack using linearization equations by Patarin. 

2.2 The Perturbed Matsumoto-Imai Cipher 

Let r be a small number and 



n 

Zi{xi,...,x„) = '^ajiXj + Pi, 
1 



n 

Z-r (xi , , Xn') — ^ ^ CXjrXj “h j3j- , 

1 

be a set of randomly chosen linear functions of Xi over k'^ such that the terms 
of degree one are linearly independent. Let 

n n 

Z{xi,...,Xn) = {Zi,--- ,Zr) = C^a^lXj + Pi, ■ ■ ■ airXj + Pr) , 

i i 



which gives a map from A:" to k'^ . 
Let 



F (xi,...,Xn) = (Fi {xi,...,Xn),F2 {xi , Xn) , ■ ■ ■ , Fn {xi,...,X„)) 

= {Fi{xi, ...,Xn) + fl{zi, ,.,Zr),F2{Zi, ..., Zn) + f2{zi, ■■■,Zr), • ' • , 

Fn (^ 1 5 ■ ■■ , ^n) F fni^Zi, Zr)) , 

where fi are randomly chosen quadratic polynomials with r variables. 

Let f{zi,..,Zr) = {fi{zi, Zr), f2{zi, ..., Zr), ■ ■ ■ , fr(zi, ..., Zr)) and / Can be 
viewed as a map from to /c". Let P be the set consisting of the pairs 
where A is a point that belongs to the image of /, and /x is the set of pre-images of 
A under /. We call P the perturbation set. Here, we know that P has g'’ elements 
probabilistically, and it does not include any pair whose first component is the 
zero vector. 
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We call F a perturbation of F by Z. 

F{xi,...,Xn) = Lio F oL2(xi, ...,Xn) = ...,Xn), 

where yi are quadratic polynomial components of F. We call F the perturbed 
Matsumoto-Imai cipher. 

Let f{xi, x„) = f{zi{xi, Xn), Zr{xi, x„)), which is a map from A:" 
to fc”. We can see that 

F{xi,...,Xn) = Li 0 F 0 F 2 +Ll O f O L 2 {xi,...,Xn), 

and the perturbation is performed by just adding L\ o f o L 2 {x\, ...,Xn) to the 
original Matsumoto-Imai cipher. 

We can use it to establish a public key cryptosystem. 

2.3 The Public Key 

The public key include 

1) the field k including its addition and multiplication structure; 

2) the n quadratic polynomials yi{xi , ..., Xn), yn{x \, ..., x„). 



2.4 Encryption 

Given a message vector M = {x'^, ■■■,x'^) as the plaintext, the ciphertext is the 
vector 

iy'i,-,yn) = {yi{x[, -,x'J, ...,yn{x[, ...,x'J). 

2.5 The Private Key and the Decryption 

The private key includes: 

1) the map F, 

2) the set of linear functions z\, Zr, 

3) the set of points in P (or the set of the polynomials fi{zi, Zr)), 

4) the two affine linear maps Li,L 2 - 



2.6 Decryption 

Once we have the ciphertext {y[, ...,y'„), the decryption includes the following 
steps: 

I) compute {yi,...,yn) = L^'^{y[, ...,y'J] 

II) take all the elements one by one {X,y) in P, compute 

{y\i,-,y\n) = <t>~^ oF"i((yi,...,y„) -h A), 

and check if Z{y\i, ...,y\n) is the same as the corresponding /r, if no, discard it, 
if yes, go to next step; 
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III) compute (xAi, x\n) = L 2 ^o(j)[yxi, y\n)- If there is only one solution, 
it is the plaintext. However, it is very possible that we have more than one 
solution, then we can use the same technique as suggested for the HFE method, 
namely we can use a few hash functions to differentiate which one is the right one. 
In our computer experiments, it seems that, in general the multiplicity seems to 
be surprisingly small, and the multiplicity of solutions behaves as expected like 
that of randomly chosen functions. 

We call our system a perturbed Matsumoto-Imai cryptosystem (PMI). It 
is evident that our method is a very general method that it can be used to 
perturb any multivariable cryptosystem, such as that the HFE cryptosystem. 
After perturbation, the security should be much stronger, but the decryption 
process is slower (by a factor of q^). 

3 A Practical Implementation 

For practical use, we suggest a 136 bits implementation of the PMI system. 

We choose k to be F 2 . 

We choose K to be an 136 degree extension of F 2 and 
g{x) = 1 + x + x^ + -I- 

We choose r to be 6, which means the dimension of the perturbation space 
is 6. 

We choose 

F{X) = X^ +\ 

In general, to have a security level of 2®°, we suggest n to be at least 96 and r 
not less than 5. Our implementation example has a much stronger security level 
at around 2^^®. 

3.1 Implementation 

Public Key Size The public key contains 136 quadratic polynomials. Each 
polynomial has 136 x 137/2 quadratic terms, 136 linear terms and one constant 
term. The key size is about lOOK bytes, which is rather big, but should not be 
a problem for any PC. 

Encryption Computation Complexity For encryption, we need to compute 
the value of a set of quadratic polynomials for a given set of xi, ...,x„, we can 
rewrite a quadratic polynomial in the following way: 

n n 

+ '^aijXj) + c, 

1 j=i 

which allows us to compute the value at roughly one and an half times of the 
speed of a direct calculation. Therefore we need roughly 19,000 binary (including 
both addition and multiplication) operations to calculate the value of each poly- 
nomial. Therefore, on average, each message bit needs 19,000 binary operations. 
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Private Key Size The private key is much smaller in general, the main parts 
are: the 8 linear functions Zi, which is of the size 127 x 8 bits, the two linear 
transformations Li and L 2 and their inverses, which needs 127 x 128 x 4 bits 
and the perturbation set P, which needs roughly 64 x 3 x 64 bits. The total is 
around 80,000 bits. 



Decryption Computation Complexity For decryption, we need first calcu- 
late the action of on the ciphertext vector, which needs roughly 136 x 136-1- 
136 calculations, which can be neglected compared to the computations required 
for the second step. The same is true for the third step. The main part of the 
decryption process is the step II, where we need to calculate 64 times the values 
of F~^ and the values of Zi and compare it with the second components of the 
corresponding element in P. The main part surely is to calculate F~^. Due to 
the linearization method by Patarin, we can actually find F~^ by solving a set of 
homogeneous linear equations. In this case, we will implement a fast algorithm 
to accomplish this as follows. 

1) We identify K as a degree 17 extension of a field K, which is a degree 8 
extension over p 2 - In this case we can identify K as K^. 

2) The map F{X) = X“^ can then be identified again as a quadratic 
map on K®. Then with the relinearization by Patarin, finding the inverse of K 
becomes the process of solving a set of 17 homogeneous linear equations of rank 
16, and then solving an equation in the form = b over the field K. 

3) This process can be performed by making a multiplication table for the 
field K. The table takes 2^® x 24 bits and each search is on a space of 2^® bits. 
Overall, each F~^ calculation becomes a process mainly to solve a set of 17 linear 
equations over the field K. Because the message is 136 bits, one can conclude 
that the decryption process will take roughly half of the time to solve a 17 linear 
equations over K per bit. 

We may also use the algorithm in [ACDG] to make this process even faster. 



3.2 Security Analysis 

In general, a set of 136 quadratic polynomials with 136 variables, are difficult 
to solve. However, special methods are invented to attack specially designed 
systems. The Matsumoto-Imai system itself is not secure, which mainly is due 
to the linearization attack. Namely, any given a plaintext (xi, Xn) and its 
ciphertext (yi, ..., y„) satisfy a set of linearization equations in the form 

~ I*- 

i 3 

These equations essentially allow us to find enough linear equations satisfied by 
the plaintext from a ciphertext to defeat the system. Since then, new methods 
have been invented to attack multivariable cryptosystems, mainly the algebraic 
method [KS] and its extension the XL method, and for the case of Matsumoto- 
Imai Minus system, a method to search for “missing” terms. 
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Next, we will analyze one by one the impact of all the existing attacking 
methods on the perturbed Matsumoto-Imai system. 



The Attack by Linearization Method From the name, we can see the PMI 
system should have a lot in common with the original MI system. 

Let 

ill = {y|r = ^aiFi(xi,...,a:„)}, 

i 

where Fi are components of the original Matsumoto-Imai cipher. 

Let 

H2 = {Y\Y = y^^aiyi{xi,...,x„)}, 

i 

where yi are components of the perturbed Matsumoto-Imai cipher. 

Let 

H3 = Hin H 2 . 

Because the perturbation dimension is 6, the dimension of all the linear and 
quadratic polynomials of a dimension 6 space of F 2 is 21, where 15 are from 
quadratic terms and 6 are from linear terms, the dimension of H 3 is, therefore 
115=136-21. Intuitively, one can view our system as if we take out 21 terms out 
of the total 136 public polynomials. This clearly eliminates all the possible lin- 
earization equations, which we confirm by our computer experiment. Therefore, 
the linearization method cannot be applied here to attack the system. 



The Attack Methods Related to the MI Minus Systems The MI Minus 
systems are suggested for signature purpose. The method simply takes out a few 
public quadratic polynomials (Minus method) to improve the security. The main 
attack method of this system is to search for quadratic polynomials we can add 
to the system such that it becomes the original MI system. The search process 
uses the property that the map F’ is a permutation polynomial on the field K . 
This will allow the algebraic attack using linearization equations by Patarin to 
be applied successfully again. 

For the PMI case, this method is not applicable due to mainly two reasons. 

1) In the PMI systems, the perturbed map is not any more an injective (also 
not surjective) map, therefore the properties of permutation polynomials can 
no longer be applied here to search for the missing terms, because no terms is 
actually missing. 

2) For our case, finding the “missing terms” is essentially to purge out the 
perturbation. For the pure Matsumoto-Imai Minus system, the attacker uses 
the fact that there is a good set of polynomials, namely the given polynomials 
actually come from the original MI system. For our case this is no longer the 
case, as all terms are mixed together. Therefore, there does not exist a good 
way to find the subspace of dimension 115 of the polynomials from the original 
MI system, namely the subspace H 3 . One possible way is certainly just to guess 
which one is from H 3 and the probability to guess a right one is 1/64, which is 
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not bad at all. The problem is that we have no way to judge if anyone is the 
right guess or not. We conclude it is essentially impossible to find the missing 
terms through this way. 

The PMI and the Matsumoto-Imai Plus-Minus systems can be viewed in 
a very similar way. The similarity is that in the PMI system, we take out 21 
quadratic polynomials, and add 21 new polynomials, except that in our case, 
we did not add randomly 21 polynomials, but 21 perturbed polynomials. The 
attack on the Matsumoto-Imai Plus-Minus system is essentially the XL method, 
which we will discuss below. 



The Attack Methods on the HFE The special advantage of the perturbed 
MI system, is its resistance to the algebraic attack methods that first was sug- 
gested for attacking the HFE systems. The basic attacking point of the algebraic 
attack method [KS] is that the quadratic part of the HFE: J^tj can 

be viewed as a quadratic form with its variables being , and the attack is 
to find a transformation to reduce a quadratic form into the above form with 
low rank using Minrank method. For the PMI systems, this method is not ap- 
plicable due to the fact that there is no way that when using the above method, 
the perturbed polynomials can be rewritten into low rank quadratic form. The 
reason for this is that, in the attack process using the algebraic method in [KS], 
the map Z from to fc® is lifted as an embedding map Z from fc" to /c": 

Z(xi, ...,x„) = (Z(a;i, ...,x„),0, ..,0); 

then it is further lifted as & k affine linear map from K to K in the form of 

A 

Z(A) = ^a,■A^ 

i 

where the highest term A should be at least 130, because the dimension of the 
pre-image of any point of this map is 130. Therefore, from the analysis of the 
efficiency of this method [KS, C], we know it should take much more than 2^^® 
computations to defeat the system by this method. This suggests that it should 
resist other related attacks as well [CDF, FJ]. 



XL Attack The XL method is a very general method for solving multivariable 
equations. This method can be viewed as a generalization of the algebraic attack 
using linearization equations, where one basically has to search for functions of 
only one variable in the ideal generated by = yi{x \, ..., Xn) — y'i by looking at 
linear combinations of terms like 

Xi-^Xi2Xi^ • • 'Xi Tj , 

l<D-2 

where yi is the i-th public polynomial and y[ is the corresponding component 
of the ciphertext. The success of this method depends on the degree D. In 
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[CKPS], there is an argument about asymptotic growth of the complexity to 
attack a system with more equations than variables, but no final conclusion about 
the complexity is given. What is given are estimates based on some computer 
experiments, in particular, the case when there are 2 or more equations than 
variables, which for our case can be easily achieved by guessing values of any 
2 variables. According to their estimate, for our case, D should be 12, which 
is given by the square root of 136, and the XL attack needs to do a Gaussian 
elimination on about 136!/124!12! roughly 2^® variables, which requires more 
than 2^^® operations. 

For the case of F 2 , there exist improved versions of XL [CP], for example, by 
adding the equations xf = Xi into the system and one may argue that the PMI 
system is not a general system, but a system based on the perturbation of the 
MI system. Therefore the attack complexity might be different. It is reasonable 
to believe that D should be determined by r in our case. For this, we did some 
computer experiments, which suggests that the security level is about the level 
mentioned above. But our experiment is on a much smaller scale (n = 27, r = 3). 
There is some evidence suggesting that D should be roughly r(r — l)/2, when 
n is much bigger than r. According to such an estimate, the complexity of the 
attack is bigger than 2^^^. However this formula is not a proven formula, but a 
conjecture, and it is an open question to find a precise formula of D for the PMI 
system in terms of both n and r, which then will tell us how we should choose 
r given n to ensure the desired security. 

From, the argument, we believe (not proven) that, with all the known attack 
methods, the security of our system has the attack complexity of 2^°°. 



3.3 Comparison with Other Cryptosystem 

In this section, we would like to compare our system with other cryptosystems. 



Comparison with RSA In the case of RSA, we know that a minimum of 
512 bits is required at this moment to ensure a security level of 2^°°. First the 
key size of RSA surely is very small for both private key and public keys, much 
smaller than the PMI system. 

The case of public and private computation complexity is however a different 
story. In the encryption and decryption process, each needs roughly 512 multi- 
plications of two numbers of 512 bits modulo a number of 512 bits to process a 
message 512 bits long. Therefore, each bit of information requires two operations 
of multiplying two numbers with 512 bits modulo a 512 bits long number. 

The conclusion is that the public key size for the PMI system is much bigger 
than for the RSA system, (IM versus 1.5K) which however should not be a 
problem for any PC. In terms of per bit efficiency, the comparison is between, 
on one hand, the RSA, which requires two multiplications of two 512 bit number 
modulo another 512 bit number, on the other hand, the PMI system, which is 
an operation to solve 17 linear equation over a finite field of size 2® with a given 
multiplication table. Our preliminary test indicates that the PMI is much faster. 
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However this is based on our own implementation and the assumption of the 
security of the system. The situation will be different if we have to increase r 
for security purpose. If we assume that our system is secure, and since the key 
transmission is only a one time transaction, when substantial use is required, 
the PMI system could be better than the RSA system. 



Comparison with Other Multivariable Cryptosystems The implemen- 
tation of multivariable cryptosystem is for either authentication purpose or en- 
cryption purpose. 

The main examples of signature schemes are Quartz schemes, which are based 
on the HFE and Oil-Vinegar method, and the Sffash schemes, which are based on 
the Matsumoto-Imai Minus Method. Both of them were accepted for submission 
to the New European Schemes for Signatures, Integrity, and Encryption: IST- 
1999-12324, and Sffash was accepted in the final selection. 

Current multivariable schemes that are still deemed secure and practical for 
encryption purpose are basically the HFE scheme, and the HFE and Oil- Vinegar 
schemes. 

In terms of a broader point of view, the Matsumoto-Imai Minus-Plus method 
can also be viewed as a form of perturbation, except that the perturbation is 
done through taking out components and adding randomly more components. 
In this case, each component taken out means a one dimensional exhaustive 
search in the decryption process and if r components are taken out then a search 
on an r dimensional space is needed. However for our case, if we perturb by 
an r dimensional space, we basically perform an r(r -|- l)/2 dimensional Minus 
and then Plus operation, except here the Plus operation is not just to add 
randomly a set of components, rather a set of “perturbed” components. In this 
context, we believe our perturbation method is a better choice compared with 
the Matsumoto-Imai Minus-Plus system. 

It is surely possible to modify the PMI system by the Minus method for a 
signature scheme as well. What we believe is that it will be a more secure but 
slower scheme. This is because the perturbed map is not bijective as is case for 
MI, and therefore one might have to go through a random search process during 
the signature process. 

As we explained above, the idea of HFE is to replace the map F by a small 
degree map 

A B 

^ + c, 

i 

but the degree cannot be too small due to the algebraic attack [KS] and the XL 
attack. For the case of a 128 bits implementation over F 2 , the degree needs to be 
2^^ to ensure security level as in our implementation example. However to solve 
a degree 2^^ polynomial equation on the 128 bits field, it needs about 2^^ x 128 
computations over the field to solve the equation for the decryption process, 
which is much slower than our scheme. Therefore, we believe that the PMI is 
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a better scheme if our claim on the security is right, otherwise some version of 
HFE mixed with PMI will be even better. 

Due to the fact that the HFE and Oil-Vinegar scheme is an “external” per- 
turbation, namely a new set of variables is introduced to perturb the system. 
However, our recent observation shows that due to the nature of the “external” 
perturbation, we can extend the algebraic method [KS] from one variable to 
two variables case. It seems that we can actually use this generalized algebraic 
method of that in [KS] to purge out the perturbation if the polynomial F for 
the HFE equation before the perturbation is small. Once this is done, the origi- 
nal algebraic method [KS] and the XL can be used to attack the system again. 
Therefore, we think the security of the HFE and Oil- Vinegar scheme is based on 
the security of HFE part not the oil vinegar part [CDF, FJ]. The detail of this 
work will be given in a separate paper. 

4 Discussion 

This paper is a suggestion of a new multivariable cryptosystem, the Perturbed 
Matsumoto-Imai system, the PMI system. This new system is based on a new 
theoretical idea of “internal” perturbation. The practical scheme we suggest is 
an implementation of the idea that creates a 136 bits open-key cryptosystem 
and the key size is big (IM). However the main purpose of this paper is to 
introduce the theoretical idea of “internal” perturbation, which, we believe, is 
a very general and applicable idea. Actually our perturbation idea is not just 
restricted to the MI systems. We realizes actually it may be a much better idea 
to combine the HFE method with our “internal” perturbation method, rather 
than the “external” Oil-Vinegar scheme, namely we will perturb the HFE with a 
small subspace inside and we do not introduce any new variables. The security is 
improved because of the perturbation and the impossible task to purge out the 
perturbation. The reason for this is exactly due to the fact that it is internal, 
which therefore is fully mixed into the system unlike the case of Oil-Vinegar 
mixing. 

The argument about security and efficiency in this paper is based on intuitive 
and rough ideas and not on strict mathematical arguments. We do not under- 
stand why we can do so as well and we believe it is a very interesting problem. 
Therefore, we plan to perform more computer simulations, which may give some 
ideas how things really are. 
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Abstract. In this paper, we propose a scheme to simultaneously prove 
the correctness of both shuffling and decryption. Our scheme is the most 
efficient of all previous schemes, as a total, in proving the correctness of 
both shuffling and decryption of ElGamal ciphertexts. We also propose 
a formal definition for the core requirement of unlinkability in verifiable 
shuffle-decryption, and then prove that our scheme satisfies this require- 
ment. The proposed definition may be also useful for proving the security 
of verifiable shuffle-decryption, hybrid mix network, and other mix-nets. 



Keywords: Voting, Shuffle, Decryption, Permutation Hiding 

1 Introduction 

A mix-net [3] scheme is useful in applications, such as voting, which require 
anonymity. Crucial to a mix-net scheme is the execution of multiple rounds of 
shuffling and decryption by multiple, independent mixers, so that none of the 
output decryptions can be linked to any of the input encryptions. 

To ensure the correctness of output, it is desirable to achieve the property of 
universal verifiability. Early studies, such as those by Sako and Kilian [21] and 
Abe [1], required vast amounts of computation to prove and verify the correct- 
ness of a mix-net without sacrificing unlinkability. However, recently proposed 
schemes [9,8,17,13] were sufficiently efficient and practical. The schemes of [9,8] 
use the property of permutation matrixes, and the schemes of [17,13] use the fact 
that polynomials remain invariant under the permutations of their roots. The 
schemes of [9], [17], and [13] require the respective computation of 18fc, 42fc, and 
12fc modular exponentiations to prove and verify the correctness of a shuffling 
of k data. The scheme of [8] requires 19fc modular exponentiations to prove and 
verify both shuffling and decryption. Groth’s scheme [13] is the most efficient. 

A result of these recent works is that proving the correctness of decryption 
now costs as much as proving the correctness of shuffling. Hence, decreasing the 
cost of proving decryption has also become important in mix-net. The scheme 
of [8] , which was based on the scheme of [9] , made it possible to simultaneously 
prove the correctness of both a shuffling and a decryption; this is more efficient 
in terms of computation and communication complexity than proving each of 
these separately. 



F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 319-332, 2004. 
(c) International Association for Cryptologic Research 2004 
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However, as is mentioned in [8], the scheme of [9,8] is not a zero-knowledge, 
and this simultaneously proving technique never yields a zero-knowledge protocol 
A simple combination of two zero-knowledge protocols of a verifiable shuffle 
and of a verifiable decryption also does not yield a zero-knowledge protocol since 
the intermediate state cannot be simulated. Therefore, a formal definition for the 
core requirement of unlinkability in verifiable shuffle-decryption, which notion is 
weaker than that of zero-knowledge, is desired. 

Such a formal definition will also be useful for considering the security of ver- 
ifiable mix-net, hybrid mix network, flush mix, and other mix-net [12,14,15,18]. 
For example, during the decryptions in a hybrid mix network, servers who de- 
crypt ciphertexts generate many extra data that are not themselves encryp- 
tions of plain texts (e.g., encrypted secret keys, MAC code, intermediate states, 
etc.). Hence, even if each component protocol of a hybrid mix network is zero- 
knowledge, we must confirm that these extra data do not spoil the unlinkability 
of the total hybrid mix network. 

In this paper, we first propose a formal definition for the core requirement of 
unlinkability in verifiable shuffle-decryption. Next, we propose the most efficient 
scheme to simultaneously prove the correctness of both shuffling and decryption, 
which is an improved version of the scheme of [8]. Finally, we prove that the 
proposed scheme satisfies the proposed requirement. 

Our scheme requires roughly 14fc exponentiations to prove and verify the 
correctness of both a shuffle and a decryption of fc-data, 1344fc bits of communi- 
cation, and five rounds. To prove and verify the correctness of both a shuffle and 
a decryption of fc-data with Groth’s protocol [13] by using the standard tech- 
nique of proving the correctness of decryption, we require 15/c exponentiations, 
2528fc bits of communication, and seven rounds. 

Although the security of the schemes of [9] and [8] have never been proven. We 
are now able to prove that these schemes satisfy the proposed requirement and 
are secure. Contrary, it is easy to prove that several hybrid mix-network which 
are vulnerable against resending message attack, such as [15], do not satisfy the 
proposed requirement. 

Our paper is organized as follows. Section 2 introduces the model of shuffle- 
decryption. Section 3 proposes a definition for the requirement of unlinkability 
in verifiable shuffle decryption. Section 4 proposes a protocol by which we are 
able to simultaneously prove the correctness of a shuffle-decryption in an efflcient 
way. Section 5 compares the efflciency of our protocol to prior work. 



2 Notation and Model 

2.1 Notation 

Let p, q be two primes s.t. q\p — 1 and 3 |(<? ~ 1)? be an order q subgroup of 
{'LIp'L)* , go be an element of Gg, and k be the number of ElGamal ciphertexts to 

^ Whereas, it is easy to make a perfect (and more efficient) zero-knowledge version of 
the protocol proposed in [9]. This version is presented in an appendix of [7]. 
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be shuffled, and i be the number of shufflers. Let £r be a private 

key of A-th shuffler used for the partial decryption and mod p 

be the corresponding public key. Let = IIk^i mod p be a public key 

public key used for the shuffle of A-th shuffler. 

Let = ((/o’’ , mo’’ mod p be a tuple of ElGamal cipher- 

texts to be input l-th. shuffler where {Mi G is a set of plain texts 

to be encrypted, {fi Gr Z/gZ}j=i_...^fc be uniformly and randomly chosen el- 
ements of Z/gZ. Let be a tuple of ciphertexts to be input 

to A-th shuffler, who shuffle them with public key and then partially 

decrypts them with the private key x'^^K The resulting tuple of ciphertexts is 
which is passed to (A — l)-th shuffler. In the rest of the 
paper, we only consider A-th shuffler and omit the index (A). 

Treating the public key go, mo as if it were an element in a ciphertext vector 
may be awkward, but it gives a more compact and unified representation to 
variables. Here, the public key is a set, {p, q, go, mo, y}. P is a prover who shuffles 
and decrypts and proves the validity of shuffle and decryption to a verifier V . 

The only shuffling we have considered in this paper is that of ElGamal cryp- 
tosystem, which is the most elegant candidate cryptosystem used for mix-net. 
However, extensions of the requirements of unlinkability defined in this paper to 
other cryptosystems are easy. 

2.2 ElGamal Shuffle Decryption 

ElGamal shuffling is a procedure that, given k ElGamal ciphertexts 
(pi, outputs ElGamal ciphertexts 

{giiin'i) = {go" P 0 -i(i),mo® m^-^,)) mod p i=l,---,k, 

where Si Gk Z/gZ for z = 1, • • • , A: and a permutation of indices (j) : {1, . . . , A:} ^ 
{z = 1, . . . , A:} are chosen uniformly and randomly. 

Shuffling of ElGamal ciphertexts results in the following two important prop- 
erties: 

1. There exists a permutation f s.t. equations 

Dx{{g'i,m'i)) = Dx((g 0 -ip),TO</,-ip))) hold for all z. Here, D^{-) is a decryp- 
tion algorithm that uses the private key x. 

2. As long as the decision Diffie-Hellman problem is difficult to solve, no poly- 
nomially bounded algorithm, given only 

p,q,g,y,{gi,mi),{g{,m'i);i = l,---,k, has an advantage over the random- 
guessing algorithm in guessing any part of permutation (j) for uniformly and 
randomly chosen go, mo, Si,fi, <j). 

ElGamal shuffle decryption is a combination procedure of ElGamal shuffling 
and partial decryption that, given k ElGamal ciphertexts (pz, m^); i = 1, - ■ ■ ,k, 
outputs ElGamal ciphertexts 



(Pi,w') = (po® P 0 -i(i),p' “ mo^ TO 0 -i(i)) modp z=l,---,A:, 



( 1 ) 
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where Si €r 'LjqLi = 1, • • • , fc and (j) are chosen uniformly and randomly. Here, 
the multiplication by g[~^ in the second term has the effect of partial decryption. 

A sequence of shuffles-decryptions composes a mix-net[21]. In this paper, 
we propose a formal definition for the core requirement of unlinkability in this 
verifiable ElGamal shuffle-decryption, and then we propose an efficient verifiable 
ElGamal shuffle-decryption. 

3 Complete Permutation Hiding 

We propose here the notion of complete permutation hiding (GPH) as a core 
requirement of unlinkability in verifiable shuffle-decryption. If a verifiable shuffle- 
decryption is GPH, honest verifiers will learn nothing new about its permutation 
from an interaction with a prover in an overwhelming number of cases of 
random tape that a prover has chosen uniformly and randomly, whereas, if the 
protocol is zero-knowledge, verifiers will learn nothing new in every case of the 
random tape. In other words, we define GPH so that verifiers learn nothing about 
the permutation in an overwhelming number of cases of common input A„ and 
witness Wn that the generator Gr (defined below) outputs. 

Let In be a set of domain parameters l",p, q, where p and q are primes and are 
the lengths of the polynomial of n, private key x, plain texts {Mi G 
and random tape Z„. Let enc(U) be an encoding of a probabilistic polynomial 
time (PPT) Turing machine U which generates cipher-texts TOj)i=i,...,fc input 
to the shuffle-decryption procedure. We assume the existence of a knowledge ex- 
tractor that can extract {ri}i=i,...,fc such that go^ = gi from U . This assumption 
is satisfied if all generators of cipher-texts are imposed to prove the knowledge 
of fi, and such a compulsion prevents an adaptively chosen cipher-text attack. 

Definition!. Given In{= {l”,p,(?,x G ZfqZ,{Mi G Z„}) and 

enc{U), instance Generator Gr chooses go €r Gq,x' Gr l^lciL, 

{si Gr and a permutation 4> uniformly and randomly and com- 

putes; 

mo=9o'"'^^,y = 9o''' modp 
— bj (^In<f 90'! y) G Hq X Gg 
{9'1,'fn'i) = {90' mod p. 

Gr then outputs common input X„ and witness Wn^ 

Xn = [p, q, y, X, 90, mo, {{ 9 ^, TOi)}i=i,...,fe, {(p(, m')}i=i,...,fc}, 

kPn — {f^, {^i\ X }. 

In the above definition, [/ is a PPT Turing machine that plays the role of 
(malicious and colluding) players who generate cipher-texts {(pi, m^)}. Although 
U is determined before the public parameter is generated, it does not lose gener- 
ality because it has this public parameter as an input. In a case where U realizes 
honest players, it outputs 
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{gi, rrii) = ( 50 ’’ , Mimo" ) mod p 

using random numbers generated from the random tape 

We say and Wn satisfy relation R if the following equations are satisfied: 

mo = y = go'"' (mod p) 

{9i,m'i) = {go'' mo" (mod p). 

We denote this fact as (X„, Wn) G R- If there exists a witness Wn for a common 
input Xn that satisfies (X„,W„) G R, common input Xn is a correct shuffle- 
decryption. Generator Gr outputs such a 

Definition 2. Let VieWy{Xn, Wn) be V ’s view of an interaction with P, which 
is composed of the common input X„, messages V receives from P, random tape 
input to V, and messages V sends to P during joint computation employing Xn, 
where P has auxiliary input Wn s.t., (X„,W„) G R. Viewy is an abbreviation 
ofView^{Xn,Wn). 

We consider the case when a semi-honest verifier may collude with malicious 
players who encrypt the ciphertexts and other provers who shuffle and decrypt 
in the same mix-net. Such a verifier and players may obtain partial information 
regarding the plain texts {Mi}, private key x (the sum of other prover’s private 
keys in the mix-net), random tapes of players, and even a part of the permutation 
(f in addition to Viewy. Moreover, they may obtain the results of other shuffle- 
decryptions executed by the same prover. 

Then it is reasonable to describe this extra information as 
H{In,enc{U),Xn,4>) and input cipher-texts generated by the malicious player 
as U{In,go,y) using PPT Turing machines Hf) and Uf). Note that {s^} are 
not included in the arguments of H, because we consider only the case where 
the prover never reveals these values to any one and the case where the prover 
never uses the same {si} for other shuffle-decryptions. 

Even though the verifier and the players may obtain the results of other 
shuffle-decryptions executed by the same prover who uses x', we do not include 
x' into the input of U and H. Instead, we assume that there exists a PPT Turing 
machine K such that the distribution of VieWy for such H and U and that of 
K{In,go,yxnc{U),(p) are the same. We denote this as 

Viewy « K{In, go, y, enc{U), (j). The exclusion of x' is crucial because it enables 
us to consider the security of shuffle-decryption over the distribution of Xn i.e., 
of x' . 

We describe information about the permutation (j) that verifiers try to learn 
as f{(j)) using PPT Turing machine /. This description can be justified because 
the expression f{(j)) is sufficient to express any bit of (f> and any kind of check 
sum for (j). 

Now we can say that a verifiable shuffle-decryption protocol hides its per- 
mutations completely with respect to Gr - i.e., CPH occurs - if there exists a 
probabilistic polynomial time algorithm E'^ (which has black box access to if ) 
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with inputs Xn and H{In,enc{U),Xn,(l>) that suffers no disadvantage with re- 
spect to learning anything about the permutations compared to any probabilistic 
polynomial time verifier E having input VieWy and H{In,enc{U),Xn,(f>)- This 
leads to, 

Definition 3. (complete permutation hiding) A verifiable shuffle decryption 
protocol {P, V, Gr) achieves complete permutation hiding if 

3e>e y^ Vy '^u'^oQ^N'^n> N 
Vr[E{yiewy,H{In,enc{U),Xn,(j))) = f{(t>)] 

< Pr[i?'®(X„,if(/„,enc([/),X„,((.)) = f{4>)\ + (2) 

and 

Viewy » K{In,go,y,enc{U),(j)) 

where E' ,E,E[, f,U,K are PPT Turing machine. The left probability in Eq.(2) 
is taken over the distribution of the random tapes input to Gr, ^ P, V, H, and 
E. The right probability in Eq.(2) is taken over the distribution of the random 
tapes input to Gr, PI, E' , and E. E' may use E as a black box. 

If the verifiable shuffle-decryption protocol is CPH, we can say that for 
every input ciphertexts set {{gi,mi)} and its corresponding output cipher- 
texts set {{gyiEi'f)}, whatever an honest verifier who has partial information 
{H {In, enc{U) , Xn, 4>)) about the common input {Xn), can learn about the per- 
mutation {(j)) after interacting with a prover, can also - in an overwhelming 
number of cases of common input {Xn)~ be efficiently computed from that com- 
mon input {Xn) and that partial information {H{In, enc{U), Xn, 4>)) alone using 
a PPT Turing machine E' without interaction with the prover as long as the 
prover has chosen the private key x' , permutation fi, and random numbers {s^} 
uniformly and randomly. 

Note that we are considering the case even where malicious and colluding 
players, who have the results of other shuffle-decryptions with the same x' , are 
engaged in generating {{gi, mi)} of common input. Hence, CPH guarantees secu- 
rity when shuffle-decryptions with the same private key are repeatedly executed^. 

Extensions of the proposed definition for requirements regarding unlinkability 
to other mix-net systems (in the sense that verifiers can learn nothing new about 
the permutation in an overwhelming number of cases of common input) are easy. 
Hence, extended-CPHs may be suitable measures of the security of verifiable 

^ Since the probability is taken over a distribntion containing x' , we have excluded 
any adversary who knows x' . 

® The definition of shuffle- decrypt ion stated in [8] is “No polynomially bounded ad- 
versary can compnte any partial information of the permutation from the protocol” . 
Unlike our new definition, this definition does not mention the case where the verifier 
has already obtained partial information before the protocol begins and where the 
shnffle-decryptions with the same private key are repeatedly executed. These cases 
seem to occur quite often. 




Efficient, Verifiable Shuffie Decryption and Its Requirement of Unlinkability 325 



shuffle-decryptions, verifiable mix-nets, verifiable hybrid mix networks, and other 
verifiable mix-nets. 



4 Proposed Verifiable Shuffie Decryption 

In this section, we propose a CPH verifiable shuffle decryption scheme, which is 
special in the sense that the verifier’s random tape is identical to its challenge. 
The proposed protocol is the most efficient of all previous schemes, as a total, to 
prove the correctness of both shuffling and decryption of ElGamal ciphertexts. 
The scheme requires five rounds. 



4.1 Permutation Matrix 



Our scheme uses the property of permutation matrix defined below. 

Definition 4. Letq be a prime. A matrix is a permutation matrix 

over Z/gZ if it satisfies 

^ ^ r 1 mod q if (j>{i) =j 

[0 mod q otherwise 

for a permutation function ^ : {1, . . . , A:} ^ {1, . . . , /c}. 

Using a permutation matrix {Ajfi, which corresponds to a permutation (j>, 
we find that Eq. (1) can be expressed as 



= {go' 



k 

n 

i=i 



9j 



5 ih 



k 

n 

i=i 



A 



) mod p. 



(3) 



Therefore, proving the correctness of the shuffle is equivalent to proving the 
existence of a x' G Z/gZ, an Si G Z/gZ for i = l,...,fc and a permutation 
matrix (4jj)i,j=i,...,fc which satisfy Eq. (3). 

The following theorem is the key to constructing the proposed protocol. 



Theorem 1. ( [9] Theorem 1) Let c 
permutation matrix over hlqL 

" f 1 

^ ^ AhiAfij Afi]^ = Sijk “ I Q 
h=l ^ 

" r 1 

^hiAhj = Sij = “I Q 

h=l ^ 



be a prime 


. A matrix (Aij)i j-i^ 




(mod g) 


II 

II 


(4) 


(mod g) 


if otherwise and 


(mod g), 


ifi = j 


(5) 


(mod g), 


ifi + j 



for all i,j, and k. 

Proof. See the proof of Theorem 1 in [9] or appendix of [7]. 
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Theorem 2. For 3 /[(q — 1), a matrix (Ty is a permutation matrix 
over hlqL Eq. (4) holds. 

Proof. (=^) is trivial. (<J=); From the proof of Theorem 1 in [9], if Eq.(4) holds, 
then there is only one non-zero element in the i — th row and it must satisfies 
ef = 1 mod q. Because 3 /(g — 1) implies that 1 is the only cubic root of 1 in 
Z/gZ, a must be 1. Therefore, matrix is a permutation matrix 

over 'LjqL. 

The soundness of our scheme depends directly on Theorem 2. 

4.2 Protocol Structure and Tricks for Efficiency 

The verifiable shuffle decryption protocol we will propose in this section is almost 
the same as the scheme proposed in [8] . The proposed scheme and the scheme of 
[8] are roughly composed of four proofs. These are, (i) generation of {/'}i=i,...,fc 
and a proof of knowledge of Si and (Aji) that satisfy 

k 

f^ = foY[ff modp i = l,---,k, (6) 

i=i 

for uniformly and randomly chosen Gn {p, = 0, . . . , k), (ii) proof that (Aji) 
whose knowledge proved in (i) is a permutation matrix (using Theorem 1 or 2), 
(iii) proof that Si and (Aji) whose knowledge proved in (i) also satisfies Eq. (3), 
and (iv) proof of knowledge of the decryption key. 

In Proof (ii), there are commitment, challenge, and response phase. The main 
difference between our scheme and the scheme of [8] is that we have introduced 
the values /_ 2 ,/-i in the proposed scheme. Because of these values /'s in the 
commitment are modified from /' = f^° to /' = f^° /^-qq. 

As a results, we have more redundancy (A_ 2 i, A-n) to generate the /(. Then we 
adjusted A- 2 i,A-u so that some values in the commitment to be zero, which 
decreased the number of terms in checking equations in the response phase 
Another difference between them is that the proposed scheme adopts the prime q 
such that 3 /(? — 1. Because of this, verifiers do not need to confirm that Equation 
(5) holds ® any more. The other difference between them is with respect to the 
verification of Eq. (9). A verifying that Eq. (9) holds, is equivalent to verifying 
equations 

n =fof[f" > n /-’■' =fof[f"^ i^odp) 

U— — 2 i—1 U— — 2 i—1 

hold, where the former is more efficient ®. 

^ The equation related to Equation 12 is the 7-th equation in the verification phase of 
the scheme of [8]. We can see that terms quadratic and linear to the challenge are 
disappeared in the proposed protocol. 

® 8-th equation in the verification phase of the scheme of [8]. 

® plays the role of A' in [8]. 
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4.3 Proposed Protocol 

We now describe our verifiable ElGamal shuffle decryption and our scheme. Let 
public parameters p, wq and private key x' be as described before. We 

assume another public key = {/^ are k + 3 Gq elements that 

are uniformly and randomly generated so that neither P nor V can generate 
non-trivial integers a, {a^}^=_2,...,fc satisfying Y[t=-2 ^ (mod p) with 

non-negligible probability. 

ElGamal Shuffle Decryption P uniformly and randomly chooses ^oi &R 
'LjqL for i = 1 , • • • , fc and a permutation matrix and then shuffles 

and decrypts k ElGamal ciphertexts {{gi,mi)}i=i^...^k to {((/', as 

{9i,fn'i) = (50 mod p 

k k 

= (Y\_ 9 v"^ ,9'i~'"' )modp. ( 7 ) 

u=0 v=0 

In our protocol, the witness Wn is a set {x' , {^oi}*=i,. .,fc}5 and 

the common input is a set {p, g, go, P, wq, E„, (g^, (g', m')i=y...,fc}. 

P is given and Wn, and V is given X„. 



Proving a Shuffle Decryption Commitment-1: P uniformly and randomly 
chooses {Ano,Al Gr Z/gZ}^=_2,,,,,fc and then computes: 

k k 

A-ii = ^ SAjoAji mod q , A_2t = ^ 3 Ajo'^Aji mod g i = I, - ■ ■ ,k 
i=i i=i 



k 

= n p 

k 

/o = n p ’ 

k 

niQ = rriiy^ ° mod p , 

i /=0 



^ = 0 , • • • , A: 

k 

5o = n ° p 

k 

W = '^ 2 , ~ ^-20 - ^'-1 mod g 

i=i 



Then, P sends gg, uiq, w, /q, {f'^}fi=o, -,k'ko E as a commitment. 

Challenge-1: V uniformly and randomly chooses {ci}i=i^...^k from 'LjqL and 
sends it to P. 

Response-1: P sends V the following response: 



k k 

Cj. = ^ Anf_cC^ mod g , = X! ^ ■■ ■ ,k 

fi—0 i—1 



where cq = 1 mod p. 
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Commitment-2: P then computes 

k 

c = n p. 

i=l 

P uniformly and randomly chooses [3 G/j 'Ll qL, computes the following commit- 
ment, and sends it to 

r) = mod p , rj' = mod p 

y' = go^ mod p. (8) 

Challenge-2: V uniformly and randomly chooses c' from LjqL and sends it 
to P. 

Response-2: P sends V the following response: r' = dx' + (3 mod q 
Verification: V computes 



k 

c = n Si"" p. 

i=l 

V accepts the shuffle if the following equations hold for a uniformly and randomly 
generated a Gr L/qL: 



k k 

n = /o/r n ' (“od p) (9) 

V— — 2 i—1 

k 

n 51^'^ = (mod p) (10) 

k k 

rui.'’ = ?7 (mod p) (11) 

v—0 fi—0 

k 

^(r| - Cj) = r _2 -I- r'_i + w (mod q) (12) 

i=i 

go'^' = y^^'y' (mod p) (13) 

C = V (mod p) (14) 



The view VieWy{Xn, Wn) of this protocol is 

P, g, y, go, mo,{{gi, {{gi, TO')}i=p„„fc, 

— fo, {fi}i=l,- -,k, fo, go, mQ, w, 
{ru}u=- 2 ,...M, {rl}„^- 2 ,...,k,V, v', y', c', r'. 
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4.4 Properties of the Proposed Scheme 
Theorem 3. The protocol is complete. 



Theorem 4. The protocol is special sound as long as the discrete logarithm 
problem is difficult to solve. 

Theorem 3 and 4 can be proved along the lines with [9]. Proof are given in 
the appendix of [7]. 

Theorem 5. If the decision Diffie-Hellman problem is difficult to solve, the 
verifiable shuffie- decryption protocol {P, V, Gr) is special complete-permutation- 
hiding. 

Proof. The proof is given in the appendix of [7]. 



4.5 Threshold Decryption 

Although it is possible to achieve threshold decryption with the proposed proto- 
col, it does not work as well as ordinary threshold decryption. If we assume that 
only honest shufflers participate in the shuffle-decryption protocol, there is no 
disadvantage when using our protocol. However, if a malicious shuffler quits de- 
cryption after some other shufflers have finished their decryptions, our protocol 
gets into trouble. 

Suppose we are decrypting or shuffle-decrypting k ElGamal cipher-texts, A 
shufflers have finished their partial decryptions, and one shuffler quits its de- 
cryption procedure. In the ordinary threshold decryption protocol, the rest of 
the shufflers and one substituting (new) shuffler are able to continue the thresh- 
old decryption protocol only with little modification. However, computation of 
kX extra modular exponentiations is required to complete the decryption, and 
the verifier must compute kX extra modular exponentiations to verify the cor- 
rectness of the decryption. 

In our protocol, shufflers that have finished their partial decryptions need to 
help other players complete the protocol. Each of the shufflers needs to compute 
k modular exponentiations to modify the cipher-texts that are already shuffle- 
decrypted by A shufflers. Each of them needs to prove the correctness of the above 
computation which requires another computation of k modular exponentiations. 
Moreover, the verifier needs to compute an extra 2kX modular exponentiations 
to verify the correctness of the protocol. 

5 Efficiency 

In this section, we compare the efficiency of the proposed protocol described in 
Section 4 to (FS) the protocol proposed in [9], (FMMOS) the protocol proposed 
in [8], and (Groth) the protocol proposed in [13]. We have assumed the lengths 
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of p and q to be 1024 and 160. We have denoted the protocol in Section 4 as 
(proposed) . 

Let us first compare them, in Table 1, by the number of exponentiations used 
in each protocol when the number of ciphertexts is k. “shuffle P” and “shuffle 
V” denote the number of exponentiations required for P and V to prove and 
verify a shuffle, “shuffle-decrypt P” and “shuffle-decrypt V” denote the number 
of exponentiations required for P and V to prove and verify a shuffle-decryption. 
The numbers for (FS), (FMMOS), and (Groth) are those required to prove a 
shuffle-decryption in a standard technique 

If we adopt the computation tools described in [16], such as the simultaneous 
multiple exponentiation algorithm and the fixed-base comb method, the number 
of exponentiations can be heuristically reduced. We estimated that multiple 
exponentiations cost a 1/3 and fixed-base comb method costs 1/12 (when the 
number of ciphertexts is large) of that of single exponentiation. Estimates done 
in this way are in Table 2. Here, “shuffle P”, “shuffle V” , “shuffle-decrypt P”, 
and “shuffle-decrypt V” denote the same items as in Table 1. 

Table 3 lists the number of communication bits and number of rounds re- 
quired for protocols, “shuffle” denotes the number of communication bits used 
when proving a shuffle, “shuffle-decrypt” denotes the number of communication 
bits used when proving a shuffle-decryption, and “rounds” denotes the number of 
rounds required for protocols. The numbers for (FS), (FMMOS), and (Groth) 
include intermediate state data bits, i.e., those of shuffled data. 





(FS) 


(FMMOS) 


(Groth) 


(proposed) 


shuffle P 


8k 




6k 




shuffle V 


10k 




6k 




shuffle-decrypt P 


(9k) 


9k 


(7k) 


8k 


shuffle-decrypt V 


(12k) 


10k 


(8k) 


6k 



Table 1. Numbers of exponentiations required in each protocol 





(FS) 


(FMMOS) 


(Groth) 


(proposed) 


shuffle P 


1.4fc 




1.75k 




shuffle V 


3.3fc 




1.75k 




shuffle-decrypt P 


(2.4fc) 


1.75A; 


(2.75k) 


1.9fc 


shuffle-decrypt V 


(4.5fc) 


3.3k 


(3k) 


2k 



Table 2. Cost of computation required in each protocol 



Our protocol and the protocols of [9,8] require a rather long public parameter 
P„. Although the protocol of [13] also requires such a parameter, it can be 
reduced greatly at the cost of increasing the amount of both computation and 
communication. 
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(FS) 


(FMMOS) 


(Groth) 


(proposed) 


shuffie 


5044fc 




1184A; 




shuffie-decrypt 


(6388fc) 


5044A; 


(2528A:) 


1344fc 


rounds 


3 


5 


7 


5 



Table 3. Communication bits required in each protocols 



From Tables 2 and 3, we can conclude that computational complexity with 
our proposed protocol represents a 32% improvement in efficiency over that of 
(Groth)[13], while communication complexity improves by 47%. Our protocol 
require two rounds less than that of Groth’s [13]. 

6 Conclusion 

In this paper, I have proposed formal definition for the core requirement of 
unlinkability in verifiable shuffle-decryption. I have also presented a novel method 
of simultaneously proving both the correctness of both a shuffie and a decryption, 
and then have proved its security and demonstrated its superior efficiency over 
that of [13] and [8]. 
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Abstract. Here we describe new tools to be used in fields of the form 
G/(2"), that help describe properties of elliptic curves defined over 
G-F’(2"). Further, utilizing these tools we describe a new elliptic curve 
point compression method, which provides the most efficient use of band- 
width whenever the elliptic curve is defined by y'^ + xy = + a 2 X^ + ue 

and the trace of 02 is zero. 



1 Introduction 

In [5,9], Koblitz and Miller independently proposed to use elliptic curves over 
a finite field to implement cryptographic primitives. The benefits for utilizing 
elliptic curves as a public key primitive are well recognized: smaller bandwidth, 
fast key exchange and fast signature generation. 

The focus of this paper will be with elliptic curves E defined over a field of 
the form GK(2”). In particular our contribution will be the development of new 
tools to be used in GF(2”) that help describe elliptic curve properties, as well 
as we develop a new method for point compression, which is the most efficient 
point compression described so far.^ Our result answers a question that Seroussi 
raised in [12]. Here Seroussi stated that it may be possible to improve on his 
point compression algorithm but that no known efficient method existed. In 
addition to the point compression method we provide additional results which 
were derived from the tools developed for the point compression method. Integral 
to our work is method of halving a point. 



2 Background Mathematics-Binary Fields GF{2^) and 
Elliptic Curves 

2.1 The Trace Operator in GF{2"') 

The trace function, denoted by Tr, is a homomorphic mapping^ of GG(2”) 
onto {0, 1}. The trace of an element a G GF(2”), denoted by Tr{a) can be 

^ Point compression provides an improvement on bandwidth. 

^ Tr{a + P)= Tr{a) + Tr{(3). 

F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 333-345, 2004. 

(c) International Association for Cryptologic Research 2004 
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computed (see [15]) as Tr{a) = reality, the trace function can 

be computed extremely ejficiently, see Table 2 in the appendix.) For more in- 
formation concerning the Tr() operator and its importance see [7]. It can be 
shown that Tr{) is a linear operator which returns a 0 or a 1 and satisfies that 
Tr{a^) = Tr{a). In GF( 2 ”), where n is odd (which is true for all binary fields 
that we are interested in), then Tr(l) = 1 (this can easily be derived given the 
above equation). Consequently for all a € GF( 2 ”) with Tr{a) = 0 we have 
Tr{a -I- 1) = 1 and vice versa. For a given b G GF( 2 ”), the quadratic equation 
-I- A = & in GF{ 2 ^) has a solution if and only if Tr{b) = 0 [7]. Observe that 
if A is a solution to the above quadratic equation, then A -I- 1 is also a solution, 
and Tr{X + 1) = Tr(A) -I- 1. Hence whenever n is odd, which we always will 
assume, for each solvable quadratic equation there is a solution with trace 1 and 
a solution with trace 0. 



2.2 Elliptic Curve Operation 

For the finite field GF( 2 ”), the standard equation or Weierstrass equation for a 
non supersingular elliptic curve is: 

y“^ + xy = + a2x“^ + ae (1) 



where 02,05 G GF( 2 ”), 05 yf 0 . The points P = (x,y), where x,y G GF( 2 ”), 
that satisfy the equation, together with the point O, called the point of infinity, 
form an additive abelian group Ea^^ae- Here addition in Ea^ a^ is defined by: for 
all P € Ea 2 ,as 
~ P + 0 = P, 

— for P = (x, y) yf O, —P = {x,x + y) 

— and for all P\ = (xi,j/i) , P2 = (x2,j/2), both not equal to the identity and 
Pi -P2, Pi+ P2 = Ps = (2:3, 2/3) where X3,ys G GF( 2 ") and satisfy: 

X3 = A^ -l- A -l- xi -l- X2 -f 02 

and 

j/3 = A(xi -I- X3) +X 3 +yi 

where A = if Pi yf P2 and A = xi -I- ^ for Pi = P2. 

As stated earlier, the elliptic curve Pa2,oe is given by the equation y'^ + xy = 

x^ + a2x'^ + ae. If (x,y) G Pas.ae and x yf 0 then ^2+^ = a: -I- 02 -I- . By making 
the substitution z = ^ we see that z‘^ + z = x + a2 + ^- Since this quadratic 
equation is solvable, we see that Tr(x-|-02-l-f|) = 0 . Observe that if (3 satisfies 
that Tr{P + Q2 + |I) = 0 then there exists a z such that z'^ + z = l 3 + a2 + ^- 
By setting y = P- z we see that y'^ + Py = + 02/?^ -I- 05. Hence (/?, y) G Paa.ag • 

And so the condition that a nonzero field element P satisfies Tr{P + a2 + = 0 

is both a necessary and sufficient condition to determine if the element is the 
x-coordinate of a point on Ea2,ae- 

In a cryptographic application, the elliptic curve will be selected so that 
Ea2,ae Contain a large subgroup of prime order. The cryptographically rele- 
vant points will belong to this subgroup of large prime order. 
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2.3 Point Compression Algorithms 

In [15] an algorithm for point compression is described. We summarize it as 

follows. For a party to send a cryptographically relevant elliptic curve point P 

they need to send an ordered pair. However, rather than sending an ordered 

pair it is possible to send the x coordinate and one-bit of information. The 

corresponding y coordinate can be computed using x and this one-bit. This is 

2 

because, by equation (1) we have fr + f = 2^ + 02 + fl- The problem is that 
there are two solutions to this equation, one solution has trace 1 and the other 
solution has trace 0. Consequently the only information concerning y needed to 
transmitted by the sender is the trace of trace of ^ . So if we are given x we can 
solve for a A which satisfies A^-|-A = a;-|-a2-l-f|. One can determine y from A, 
X and this one-bit. This method has been standardized in [16,15] and has been 
patented. The result is that this method requires n -I- 1 bits to transmit a point 
on an elliptic curve defined over GF(2”). 

In [2], Seroussi described an even more efficient point compression algorithm. 
Suppose that (0:2, j/2) G E. Then Tr(x2 + a2 + = 0. Again, we assume that 

1/2) is a cryptographically relevant point, that is, it is a point of prime order p. 
Since (x2,y2) is of prime order, it is the double of some point (xi, yi). Seroussi, in 
[2], demonstrated that this implies that Tr{x2) = Tr(o2). For completeness (as 
well as to demonstrate tools that we utilize later) we recreate it here. Suppose 
{x2,y2) is the double of some point (xi,yi) € E. Thus X2 = xf + Since 

& E we have Trixi -1-02-1- %) = 0. Further since Tr(x^) = Trix) we 

have 

Tr{xi -1-02-1- = Tr{x\ + a2 + = Tr{x2 + 02) = 0. 

Therefore Tr{x2) = Tr(o2). It was this property that Seroussi exploits in his 
compression algorithm. Let Q = {x2,y2) be the cryptographically relevant point 
on the curve E. Consequently Q will belong to a subgroup of prime order and so 
Q is the double of some point P. Thus Tr{x2) = Tr(o2). Given a field element 
2 = (Cn-i, • ■ • , Cij Co) in GE(2"), it can be represented by n bits. At least one 
of the bits is used to compute trace, let i denote the smallest index such that 
Ci is used to compute trace (note that it is very likely that z = 0), see Table 2 
for examples on how to efficiently compute the trace for the binary fields used 
in the NIST list of elliptic curves. Suppose X2 = (Cn-i, Cn-2, Ci) Co)- Then 
to transmit the x-coordinate X2 we only need to send n — 1 bits, since we can 
transmit (Cn-i,Cn-2, •■•Ci-i-i)Ci-ij -■••iCijCo)- Now the receiver knows the curve 
and all of its parameters, thus they know i. Further, the receiver knows that 
X2 satisfies Tr(x2) = Tr(a2)- Consequently the receiver can determine whether 
Ci should be a one or a zero. Once the receiver has X2, they solve for z such 
that + z = X2 + tt2 + ^- Then j/2 can be computed by j/2 = a^2 • -2- The 
problem again is that there are two solution to this equation in z, one z-solution 
has trace 1 and the other z-solution has trace 0. Thus the only information 
needed to transmit y is the trace of the z- value. Hence only one bit needs to be 
transmitted to communicate y. Therefore Seroussi has demonstrated that only 
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n bits are needed to be transmit to a receiver a point on the elliptic curve E 
over GF(2”). 



2.4 Halving a Point 

In [6], Knudsen introduced the halving point coordinates and the halving a point 
algorithm. Knudsen introduced the concept of halving a point in elliptic curve 
over GF(2”) to compute the scalar multiple kP. ^ Knudsen described how to 
compute given a point P = (x,y) G E, where P is a double of some point. 
At the heart of this computation is the representation of a point. Rather that 
using the affine coordinates of a point P = {x, y) G E, Knudsen represented P 
as P = (x, Ap) where Ap = x+^, which we refer to halving coordinates. Observe 
that given x and Ap, y can be computed since y = x(x + Ap). 

Let Q = {u, Aq) = ip where P = {x, Ap). Then Knudsen [6] demonstrated that 
the following two equations could determine Q; first Aq can be determined by 
solving: 

+ X. (2) 

Once one solves for Aq, u can be determined by computing 

u = \/iP = \Jx{\q + 1) + y = ^Jx{Xq + Ap + X + 1). (3) 

Observe that Tr{a 2 + x) must equal 0, which is true if and only if P is the 
double of some point, an observation that is used in both [14,12]. It is trivial to 
demonstrate that the computed {u, Aq) is a “half’ of P. Knudsen’s algorithm 
requires one square root, one multiplication, one solve (which is the halftrace), 
and though not illustrated above, one trace check. So it will be very efficient. 

The primary focus in [6] was with elliptic curves with a cofactor of 2, but 
Knudsen did not limit his work to only such curves. He provided formulae for the 
case when the cofactor is 2, as well as when the cofactor is 2^ (where L > 1). In 
[4], an improvement of Knudsen’s halving algorithm for curves with a cofactor 
of 2^ where P > 1 was demonstrated. 

Integral to our work will be the following algorithms. 



SOLVE(s) 

if Tr(s) yf 0 

return No solution 
let f be an arbitrary solution to 
the equation w'^ + w = s 

return ( 



HALF(P= (xp,Ap) 
if Tr{xp + 02 ) yf 0 
return No half point 
Aq = S OLVE(xp + a2) 
uq = \J xp(\q + Ap + xp + 1) 
return (uq,Aq) 



In the SOLVE equation, there are two solutions to the quadratic equation. So 
when C is assigned to be an arbitrary solution it meant that any one of the 

® Independently, Schroepel [11] also developed the method of halving a point to per- 
form cryptographic computations on an elliptic curve. 




A Point Compression Method for Elliptic Curves Defined over GE(2’*) 



337 



two solutions is returned. The Theorem described below demonstrates that not 
only will the HALF algorithm produce a half when the input point that can 
be halved, but that for any input the HALF algorithm will produce the correct 
output. 

Theorem 1. Let P G E then 

(i) If Q = HALF(P) then QgE and 2 Q = P. 

(a) If HALF(P) returns No half point then for all Q G E, 2 Q ^ P. 

The proof is left as an exercise. 

3 Some Observations 

Recall that when {x2, 2/2) G E with X2 yf 0, we must have Tr{x2 + 02 + = 0. 

Further, if {x2,y2) is a double of some point then Tr{x2) = Tr(o2). Therefore 
if (2:2, 2/2) is a double of some point then Tr{^) = 0. This condition can be 
shown to be both necessary and sufficient to imply that a point is the double 
of some point in E. The argument is as follows: Suppose Tr(^) = 0 where 
{x2, 2/2) G E. Since Tr{x2 + 02 + = 0 we see that Tr{x2) = Tr(o2). Consider 

the equation = X2 . Observe that if x satisfies this equation then x satisfies 

Tr{x'^ + 02 + fl) = Tr{x2 + 02) = Tr{x + 02 + fl) = 0. Thus there exists a y 
such that (x, y) G E. Now this equation + || = 0:2 is solvable, since it reduces 
to solving x^ + X2X^ = oq which is + x^t = og by letting x^ = X2t. This last 
equation reduces to + 1 = %. Since % has trace 0, this is solvable. Once t is 

X 2 ^2 

found, solve for x by letting x"^ = X2t and computing x = 

Consequently the requirement for a point on if to be a double can be solely 
expressed as a condition existing between x and the parameter og . Of course the 
condition that given x there is some y such that {x, y) G E can be stated as: 
Tr{x + 02 + fl) = 0. Suppose og is some fixed nonzero field element of GF(2"), 
and that xg be an arbitrary nonzero field element of GF(2") where Tr(^) = 0. 
Then xg is the x-coordinate for a double of some point for ALL elliptic curves 
-£'02,06 which satisfy Tr{o2) = Tr{xg). 

3.1 A Characterization of Nonzero Elements in GF'(2”) 

Let Og be a fixed nonzero field element in GF(2”). 

Let X G GF(2”) with a; yf 0, we define the characterization of x to be the 
binary ordered pair (Tr{x), Tr(^)). The characterization of x will be helpful to 
identifying the a;-coordinate of points that belong to an elliptic curve or its twist, 
as well as identifying field elements that are the x-coordinate of points which 
are doubles. The four possible characterizations are: (1,0), (0,1), (1,1) and (0,0). 
Those field elements which have characterization of (1,0) and (0,0) represent the 
field elements which are possible a;-coordinates of the double of some elliptic 
curve point. (Whether a field element is an x-coordinate of a double depends on 
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the trace of 02 - If Tr(o 2 ) = 0 then it would be those field element with character 
(0,0), whereas if Tr(o 2 ) = 1 then it would be those field element with character 
( 1 , 0 ).) 

Now consider the element The characterization of is 

X X 

(Tr(^),Tr(^)) = (Tr{^),Tr{x^)). 

X yoe X 

X 

Since Tr{x^) = Tr{x) we see that the characterization of is equal to 
(Tr(^), Tr(x)) which is a permutation of the characterization of x. The element 
is of interest for the following reason: Let T 2 = (0, y^) then independent 
of the trace value of 02 we will always have T 2 € -Ea 2 ,ae- Further T 2 = —T 2 If x 
represents the a;-coordinate of some point P G Ea^ a^ then the a;-coordinate of 
P + T 2 IS 

Observe that if x is an x-coordinate of some point on the elliptic curve 
Ea 2 ,ae then the characterization of x satisfies (Tr(x), Tr(||)) = {Tr{x),Tr{x) + 
Tr(o 2 )). Further the sum of the characterization coordinates of x equals Tr{a 2 )- 

We can define an equivalence relation R on GF(2”) \ {0} by: for each x,y £ 
GF(2”) \ {0} we say xRy provided y = x or y = Each equivalence class 
contains two elements except for the equivalence class for which possesses 
one element. Therefore there are (2” — 2)/2 + 1 = 2”“^ equivalence classes for 
GF(2") \ {0}. 

For all i,j € {0, 1} we define 

A(ij) = {x £ GF(2”) \ {0, : X has characterization (i,j) }. 

For all X £ U ^( 1 +^ i+j)), x will be the x-coordinate of some point on 

the elliptic curve Ea^^ae where Tr(o 2 ) = i + j. In fact for all P £ Ea 2 ,ae \ O, if 
xp ^ {0,.^^} then xp £ U ^( 1 +^ i+j)). Of course will contain 

elements which are the x-coordinate of a double of some point in Ea 2 ,aa and 
will contain elements which are the x-coordinate of a point in Ea 2 ,ae 
which are not doubles. 

Let P\,P 2 £ Ea 2 ,ae- Then the following can be established by utilizing the 
definition of point addition in Ea 2 ,ae- If and xp 2 £ and 

Pi + P2y^ O then XP 1 +P 2 G A(i+j^o)- If xp^ £ ^p+i,o) and xp^ G A(i+^+j^i) then 

^Pi+P2 G A(lpi+j^l). 

Since we have that for each x, the characterization of is the permutation 
of the characterization of x, this implies that |^o,i| = |-4i,o| and that both |^o,o| 
and 1^1.1 1 are even. Also since half of the elements in GF(2") have trace 0 and 
the remaining elements have trace 1, we can infer that if Tr{ao) = 1 then the 
number of elements of GF(2”) which have trace 0 is 1 -I- |Ao,i| + |Ao,o|, whereas 
the number of elements which have trace 1 is 1 -I- |Ai,o| + l-4i,i|. Thus when 
Tr{ae) = 1 we have |Ao,o| = l^i,i|. If Tr{ao) = 0 then the number of elements 
of GF(2”) which have trace 0 is H-H- |Ao,i| + |Ao,o| and the number of elements 
which have trace 1 is |Ai,o| + |^i,i|. Therefore when Tr{ae) = 0 we see that 
1-^1, i| = |-4o.o| + 2. 
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Theorem 2 . The number of points on an elliptic curve satisfies: 

(i) I £' 02,00 1 = 1 + 1 + 2 • |- 4 o,i I + 2 • 1^1,0 1 = 1 + 1 + 2 • 2 • |^i,o| = 2 + 4 • |- 4 i,o | 
provided that Tr{a2) = 1 

(a) |£a2,oel =4 + 4 - |- 4 o,o| provided that Tr{a2) = 0 and Tr{ae) = 1 
(Hi) |£o2,06l = 8 + 4 - |- 4 o,o| provided that Tr{a2) = 0 and Tr{ao) = 0 

Proof. The proof of (i): Suppose Tr{a2) = 1 - The elliptic curve Ea^.ae will 
include the point of infinity, and the point (Ojydie). In addition, for each x € 
(^(1^0) U“^(o,i)) there will exist two values of y such that (x,y) G £02, og- Lastly 
recall that |Jl(i,o)| = IAo.i)l- Therefore |£a2,og| = 1 + 1 + 2 - |A.i| + 2 • |A,o| = 
1 + 1 + 2 • 2 • |- 4 i^o| = 2 + 4 • 1 ^ 1 , o|- 

The proofs of (ii) and (iii) follow from a similar counting argument. 

Recall that |^(iy)| is even for f = 0 , 1 . Therefore an elliptic curve will have a 
cofactor of 2 iff Tr(o2) = 1 and 1 + 2 • |^(o,i)l is prime. An elliptic curve will 
have a cofactor of 4 iff Tr{a2) = 0 , Tr{a^) = 1 and 1 + |- 4 (o,i)| is prime. For 
£ > 2 , an elliptic curve will have cofactor of 2 ^ iff Tr{a2) = 0 , Tr{a^) = 0 and 

1 + l-T(o, 0)1/2^"^ is prime. 

As described by the above theorem the number of points on an elliptic curve, 
depends on the characterization of elements in G£( 2 ”) and the trace of the ellip- 
tic curve parameters 02 and a^. If we fix the parameter and vary the parameter 

02 then the characterization for each x in G£( 2 ”) will be fixed. Therefore we 
have the following (this same result is provided in [ 2 ]). 

Theorem 3 . Let 7 G G£( 2 ”) such that Tr{j) = 0 then for all 02, oe we have 

|£a 2 + 7 ,“ 6 l “ |£a2,ogl 

Proof. For a fixed 02 and a 7 with Tr{j)= 0 , we have Tr(o2 + 7) = £^(02) 

A consequence of this theorem is that if £02,00 represents a cryptographically 
relevant elliptic curve defined over G£( 2 "). Then there exists 2 ”“^ many cryp- 
tographically relevant curves defined over the same field. In [ 13 ], it was shown 
that these curves are isomorphic to each other. 

Let 02,06 G G£( 2 ”). Then this fixes some elliptic curve £02, og- Let 7 G 
G£( 2 ”) where Tr{"f) = 0 . Then [ 13 ] has established that both Ea2,as and 
£o2+7,o0 are isomorphic. But we will see that we can make even more inferences 
concerning the isomorphism. Suppose that £02, og Las a cofactor of 2 ^. Then for 
all P = {x, y) G £o2,o0, there exists a C G G£( 2 ”) such that (x, C) G £02-1-7,00 • It 
can be shown that f = y + a:- Solve(7). That is, (x, y + a: • Solve(7)) G £03-1-7, og- 
Let A = l±£:^£lZ£(2) ^ then A^ + A= |r + y + Solve^(7) + Solve(7) = x + 
02 + fl+7 = a; + (o2+7) + f|.Itis obvious by the tools that we have devel- 
oped, that the point P = (x,y) G Ea^.a^ is a double of some point iff the point 
{x,y + X ■ Solve(7)) G £03-1-7,00 is a double of some point in £02-1-7,00- Further 
whenever P = (x,y) G G C Ea^^a^ (where G is the subgroup of large prime 
order), then {x,y + x- Solve(7)) belongs to a subgroup of £02-1-7,00 of the same 
prime order as G. Thus we see that not only are £02, og and £03-1-7,00 isomorphic, 
when Tr{'j) = 0 , but that this isomorphism is trivial to compute. 
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Consequently the only relevant parameters to consider for 02 are 0 and 1 
(as long as n is odd). In the WTLS specification of WAP [16], an elliptic curve 
identified as curve 4 in the specification, is defined where the 02 parameter is 
described in Table 1 (see below). Since the Tr^a^) = 1, this curve is isomorphic 
to Ai.ag where the parameter is given in Table 1. The elliptic curve Ei^a^ 
has a subgroup of large prime order, the same as the order given in Table 1. 
This subgroup of Ei^ae, has a generator G' = {g'x,gy) where = Gx and g'y = 
Gy + Gx- SOLVE(072546B5435234A422A0789675T’432C89435i:>T;5243). From 
an implementation point of view it is much more efficient to use the elliptic curve 
Ei^ae then the curve described in Table 1, for whenever one has to perform a field 
multiplication with 02, if 02 = 1 then it is free. This type of field multiplication 
would always be needed when one implements the elliptic curve using a projective 
point representation. Thus the parameters of curve 4 in WTLS specification 
should be changed to refiect this. 



generating polynomial 


^ ^ j_ 1 


02 


072546B5435234A422F0789675F432C89435DF5242 


06 


00C9517D06D5240D3CFF38C74B20B6CD4D6F9DD4D9 


order of the generator 
G^{Gx,Gy) 


0400000000000000000001F60EC8821CC74DAFAFC1 


Gx 


07AF69989546103D79329FC'C3D74880F33BBF803CB 


Gy 


01EG23211B5966ADEA1D3F87F7EA5848AEF0B7GA9F 


cofactor 


2 



Table 1 



4 An Improved Point Compression Method 

Let G denote the set of points of prime order and let T2 = (0, ^/^)■ 

If Tr{a2) = 0 then ^ = 0 is solvable, with solution x = Now 
characterization of is = (Tr{aQ),Tr{ae)). Thus T2 is 

the double of some point with an x-coordinate of Let Qi and Q3 denote 
the two points of E which are 5T2. 

Suppose Tr{ao) = 1 and Tr{a2) = 0. Then the x-coordinates of Qi and Q3 
have characterization (Tr{aQ),Tr{ae)) = (1,1). Therefore both Qi and Q3 are 
not doubles of any points. Thus we see that there exists a subgroup of order 4 
which contains 0,Qi,T2, and Q3. Let P G G \ {O}, then the characterization 
of xp is (0,0) and the characterization of xp+p-z is (0,0). The characterizations 
of xp+Q^ and xp+Q^ are (1,1), this follows from that fact that both Qi and Q3 
are NOT DOUBLES of any points. Observe that given an point P = {x, y) in G, 
the field element is the x-coordinate of an EC point which is in the coset 
G + T2. Now all points R G G + T2 do have a half but all of its halves do not 
have a half. Therefore if we found a y such that R = {xp, y) G E, and then set 
X = Xp + ^ (so that R = {xp, A) using Knudsen’s definition [6]) and compute 
{u,Xjj) = HALF(x/{,A) then HALF(m, A;/) = No half point. 
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If Tr{ae) = 0 and Tr{a 2 ) = 0, then the half of T2 is Qi and Q3, and both 
Qi and Qs are doubles. So there exists a subgroup of order 2™+^ which contains 
Qi,T 2 , Qs- Thus ^T 2 € E, but does not have a half. Again if P = (x, y) G 
G then is the x-coordinate of P+T2. If we compute y such that {^^,y) G E, 
set A = then repeatedly call the HALF function eventually we will 

arrive at No half point, i.e. A) = No half point. 



4.1 A Point Compression for Ea 2 ,ae when Tr{a 2 .) — 0 

Let a G GP(2”) and represent a = (pn-i, . . . , pi,po). Let i denote the smallest 
subscript such that pi is used to compute trace of r (for most fields i will be 0). 
Let C = G GP(2”) such that Tr{Cf) = 0 (which equals Tr(a2)=0). 

If a sender Alice wishes to transmit f to the receiver Bob they should send 
compress{Cf) = (^„_i, ..., ^0) which is merely C where we have re- 

moved the term. If a receiver Bob receives compress{Q then Bob will be 
able to reconstruct C- Since Bob knows all parameters of the elliptic curve he 
knows both Tr{a 2 ) = 0 and the smallest subscript i which is used to compute 
the trace. Thus Bob knows which bit fi was omitted, by guessing = 0 and 
computing the trace of the corresponding field element, Bob can verify whether 
his guess was correct. His guess was correct if the trace value equals Tr{a 2 ). 
Otherwise, if the trace value doesn’t equal Tr(o2), then Bob knows the correct 
f satisfied = 1. Thus n — 1 bits are required to communicate an element 
f G GP(2”) where Tr{C) = 0 and where Tr{a 2 ) = 0. 

If a receiver is able to compute the x-coordinate of point P then the receiver 
will compute y as follows: first compute z = SOLVE(a;-|-a2 -I- f|) then compute 
y = X ■ z. The problem is that there are two solutions to SOLVE(a; -1-02-1- ^), 
one with trace 0 and the other with trace 1. So the sender must communicate 
the trace of ^ which we will denote as e. If z = SOLVE (a; -I- 02 + fl) and if 
Tr(z) = P then y = x ■ z, else if Tr(z) yf e then y = x ■ {z + 1). 

We now describe how to accomplish a point compression of n — 1 bits. Let 
T 2 denote the point {0,y/oe) G E, then T 2 has a half since Tr{a 2 ) = 0. Let 
P = {x, y) be a cryptographically relevant point on E. Then P belongs to G a 
subgroup of prime order, thus the trace of a: is 0. The goal is that the sender 
will submit to the receiver n — 1 bits such that the receiver will be able to 
expand these bits to compute P. The sender and the receiver share the elliptic 
curve parameters, and both know the underlying field. Now for the sender to 
send P = (x,y), they do the following: If ^ has trace 0 the sender sets f = x, 
else if Tr{tf) = 1 the sender sets ^ Then since Tr{a 2 ) = 0 we have 

Tr(C) = 0. Thus to transmit f the sender sends compress(f) which is n — 1 bits. 
When the receiver receives compress{C,) they will be able to reconstruct f as 
described above, since Tr{Q = 0. At this time they compute y by first solving 
z = SOLVE(^-|-a2-l-||) where z satisfies Tr{z) = 0. They then set y = C,-z. Since 

^ is the X coordinate of the point P -I- T 2 , when Trfx) = 0 we have = 0. 
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Tr{a 2 ) = 0 there exists an m such that 2^?2 G E (here T 2 = (0, ^/oq)) but 2 ^X 2 
does not have a half. Since the receiver knows all elliptic curve parameters they 
know m. The receiver computes HALF™^^ (C, C+ if a point is returned, then 

the receiver knows P = (x,y) = (C)2/)- However if HALF™~''^(C, C + returns 
No half point then . So they compute a: by a: = . Then they compute 

2 = SOLVE(a; + 02 + ft) = SOLVE(-^^ + 02 + C^) but this time they select 2 
so that z has trace 1. Finally they compute y hy y = x ■ z. Many of the elliptic 
curves for which Tr(a 2 ) = 0, will have a cofactor of 4 which implies that m 
will be 1. That is, if Tr{a 2 ) = 0 and the cofactor of the elliptic curve is 4, then 
T 2 belongs to a subgroup of order 4, thus ^T 2 exists but ^T 2 does not exist. 
All binary elliptic curves in the NIST recommended list of curves [10] for which 
Tr{a 2 ) = 0 have cofactors of 4. 

Theorem 4. Let Ea 2 ,as be an elliptic curve defined over GF(2”) where Tr{a 2 ) = 
0 then there exists an efficient point compression algorithm that will allow a 
sender to transmit n — 1 bits to send a point on the curve of prime order. 

Consequently, we see that this point compression method requires less bandwidth 
than the patented compression methods described in [2,15] whenever Tr{a 2 ) = 0. 



4.2 Point Compression Algorithm for Ea 2 ,a& where Tr{a 2 ) — 1 

Thus we see that if Tr{a 2 ) = 0 there exists a point compression method that 
is superior to the previous point compression methods. It would be preferred 
to provide a point compression method which is the most efficient, and which 
utilizes comparable techniques for all cases. And so we now describe a point 
compression method for the case Tr{a 2 ) = 1. For the case Tr(o 2 ) = 1 we will 
demonstrate a method which is as efficient as the method by Seroussi, the benefit 
is that the form is comparable to the method that we described above. 

Let P = {x, y) be a cryptographically relevant point on E. Then P belongs 
to G a subgroup of prime order. Thus the characterization of x is (0,1). The 
method is such that the sender will submit to the receiver n bits such that the 
receiver will be able to expand these bits to compute P. Given x, one computes 
z = SOLVE(a; + 02 + since there are two solutions one needs to know the 
correct trace value of the z-solution. y then satisfies y = zx. To provide a unified 
approach to point compression we suggest that if Tr{^) = 0 the sender sets 
C = X, otherwise if Tr{^) = 1 the sender sets C, = 

Suppose a sender and a receiver exchange an elliptic curve point. If the 
receiver receives f where Tr{f) = 0 then the exchanged point P = (x,y) is 
such that X = f and y satisfies Tr{~) = 0. First the receiver computes A = 
SOLVE(C + 0-2 + where Tr{\) = 0. Then the receiver sets y = x ■ X. li 
the receiver receives f where Tr{Cf) = 1 then the exchanged point P = (x,y) 
is such that x = and y satisfies Tr{^) = 1. First the receiver computes 
A = SOLVE(^^^ + 02 + C^) where Tr{X) = 1. Then the receiver sets y = x ■ X. 




A Point Compression Method for Elliptic Curves Defined over GE(2’*) 



343 



The efficiency (here we measure it in terms of the number of field operations 
that need to be computed) is as efficient (perhaps slightly more efficient) than 
Seroussi’s method [12]. In our method the receiver will perform (in the worst 
case) two trace checks, an inversion, a square, a multiply and a SOLVE. The 
receiver may have precomputed and stored the Although in [4], it was 

demonstrated that a square root can be computed as nearly as efficient as a 
square (even when using a polynomial basis to represent a field element) for 
many fields GF(2”). In Seroussi’s method a bit needs to be guessed, inserted 
into the stream, a trace check, a bit may need to be changed, a square, a multiply, 
an inversion, a SOLVE, and one more trace check. 



5 Attacking a Users Key Using Invalid ECC Parameters 

Our last observation concerning utilizing the tools that we have developed in this 
paper, is its use to efficiently check an elliptic curve parameter. It is important 
that during a key exchange a receiver checks elliptic curve parameters before 
utilizing these parameters with their private key [1]. One important parameter 
check is to verify that a received point is a point of prime order. Here we will 
assume that the sender and receiver are performing some type of elliptic curve 
key exchange and that the receiver receives a point Jreceived = (x,y). The re- 
ceiver has private key k and will compute k Jreceived = (o,,b). In the end both 
receiver and sender will have derived (a, 6). Of course they will hash a. If the 
receiver does not check that Jreceived is of prime order then the sender may be 
able to detect a bit of the receivers key k. 

We will describe the attack and the remedy for the case when the elliptic 
curve parameter 02 satisfies Tr{a 2 ) = 0. Let G represent the subgroup of E 
of prime order. The attack made by the sender is as follows. The sender sends 
a point Jreceived G G -|- T 2 , of course the a;-coordinate of Jreceived has trace 0. 
The only way the receiver can determine that J belongs to the coset G -I- T 2 , 
is to compute pJreceived where p is the prime order of G. If the receiver does 
not check the order of Jreceived then when the receiver computes k Jreceived, if 
fcg = 0 then k Jreceived G G, if fco = I then k Jreceived belongs to the coset G-I-T 2 . 
Thus the low bit of the key is vulnerable to this attack. A solution is that if G 
is a subgroup of order p then the receiver should compute pJreceived to verify 
that it is the identity O, but this will be at a cost of performance. If an elliptic 
curve has a cofactor of 2"^ (which is true for all curves in [10,16]), then there 
is an efficient method which will allow us to distinguish between a point in G 
and a point in the coset G -I- T 2 . The alternative (the efficient check) is to first 
determine m such that 1 ^X 2 & E but where 2^12 does not have a half. Then 
the receiver computes HalT"^^(x, a; -I- -). If the result is a point then element 
was of prime order, otherwise it belonged to the coset. 

In some cases this parameter check will be trivial. For example suppose that 
the elliptic curve has a cofactor of 2. Then a parameter check is trivial, simply 
determine if {x,y) G E and Tr{x) = 1. 
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6 Conclusion 

Our work has provided several new tools in GF{7^) that provided great insight 
into elliptic curve defined over It has provided a new way to view the 

number of points on an elliptic curve. As well as provide us a mean to choose 
more efficient elliptic curve parameters (for example curve 4 in the WTLS list). 
Our main result is new point compression method which is superior to prior 
methods whenever Tr^a^) = 0. Lastly we have demonstrated how the halving 
algorithm can be utilized to check elliptic curve parameters. 
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7 Appendix 

7.1 NIST Recommended Curves in GF{2'^) 

In July 1999 NIST releases a list of recommended but not required curves to 
use for Elliptic curve cryptography when dealing with federal agencies. Today 
several of these curve have been adopted by many standards. Our interest is in 
those curves over the binary field GF(2”). The curves listed are: K-163, B-163, 
K-233, B-233, K-283, B-283, K-409, B-409,K-571, and B-571 where the K-*** 
refers to a Koblitz curve whose Weierstrass equation if of the form 

+ xy = + a 2 X^ + 1 

and B-*** refer to a “random curve” whose Weierstrass equation is of the form 



y"^ + xy = x^ + x^ + h 



For Koblitz curve K-163 the coefficient a = 1, for the remaining Koblitz curves 
K-233, K-283, K-409, and K-571 the coefficient a = 0. Thus K-163 the Tr{a 2 ) = 1 
and for the other four Koblitz curves K-233, K-283, K-409, and K-571 the 
Tr(o 2 ) = 0. The table provided below demonstrate a very efficient way to per- 
form a trace check when utilizing a NIST curve. We have reproduced this table, 
which was originally given in [4] . 



Curve types 


Generating polynomial 


condition for y € GF(2”) 
to satisfy Tr{p) = 0 


K-163, B-163 


p{t) = + t‘ +t'= + t-^ + l 


Mo = Ml57 


K-233, B-233 


p{t) = +f^ + l 


Mo = M159 


K-283, B-283 


p{t) = + G -h G -k 1 


Mo = M277 


K-409, B-409 


p{t) = -1- -1- 1 


O 

II 

O 


K-571, B-571 


p{t) = + + F + F + l 


Mo + M561 + M569 — 0 



Table 2 
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Abstract. The isogeny for elliptic cnrve cryptosystems was initially 
nsed for the efficient improvement of order counting methods. Recently, 
Smart proposed the countermeasure using isogeny for resisting the re- 
fined differential power analysis by Goubin (Goubin’s attack). In this 
paper, we examine the countermeasure using isogeny against zero-value 
point (ZVP) attack that is generalization of Goubin’s attack. We show 
that some curves require higher order of isogeny to prevent ZVP attack. 
Moreover, we prove that this countermeasure cannot transfer a class of 
curve to the efficient curve that is secure against ZVP attack. This class 
satisfies that the curve order is odd and (—3/p) = — 1 for the base field p, 
and includes three SEGG curves. In the addition, we compare some effi- 
cient algorithms that are secure against both Goubin’s attack and ZVP 
attack, and present the most efficient method of computing the scalar 
multiplication for each curve from SEGG. Finally, we discuss another 
improvement for the efficient scalar multiplication, namely the usage of 
the point (0, y) for the base point of curve parameters. We are able to 
improve about 11% for double-and-add-always method, when the point 
(0, y) exists in the underlying curve or its isogeny. 

Keywords: elliptic curve cryptosystems, isomorphism, isogeny, side chan- 
nel attack, zero-value point attack. 



1 Introduction 

Elliptic curve cryptosystem (ECC) is an efficient public-key cryptosystem with 
a short key size. ECC is suitable for implementing on memory-constraint devices 
such as mobile devices. However, if the implementation is careless, side channel 
attack (SCA) might reveal the secret key of ECC. We have to carefully investigate 
the implementation of ECC in order to achieve the high security. 

The standard method of defending SCA on ECC is randomizing the curves 
parameters, for instance, randomizing a base point in projective coordinates [5] 

’* This work was done while the hrst author stayed at Technische Universitat Darm- 
stadt, Germany. 
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and randomizing curve parameters in the isomorphic class [11]. However, Goubin 
pointed out that the point (0, y) cannot be randomized by these methods [7]. He 
proposed a refined differential power analysis using the point (0,y). This attack 
has been extended to the zero value of the auxiliary registers, called the zero- 
value point (ZVP) attack [1]. Both Goubin’s attack and the ZVP attack assume 
that the base point P can be chosen by the attacker and the secret scalar d is 
fixed, so that we need to care these attacks in EGIES and single-pass EGDH, 
but not in EGDSA and two-pass EGDH. 

In order to resist Goubin’s attack, Smart proposed to map the underlying 
curve to the isogenous curve that does not have the point (0,y) [17]. This coun- 
termeasure with a small isogeny degree is faster than randomizing the secret 
scalar d with the order of the curve. However, the security of this countermea- 
sure against the ZVP attack has not been discussed yet — it could be vulnerable 
to the ZVP attack. 

1.1 Contribution of This Paper 

In this paper, we examine the countermeasure using isogeny against the ZVP 
attack. The zero-value points (EDI ) -I- a = 0, (MDl ) — a = 0, and (MD2) 

x"^ + a = Q were examined. We show that some curves require higher order of 
isogeny to prevent the ZVP attack. For example, SEGG secpll2rl [18] is secure 
against Goubin’s attack, but insecure against the ZVP attack. Then, the 7- 
isogenous curve to secpll2rl is secure against both attacks. We require isogeny 
of degree 7 to prevent the ZVP attack. For each SEGG curve we search the 
minimal degree of isogeny to the curve that is secure against both Goubin’s 
attack and the ZVP attack. Since the ZVP attack strongly depends on the 
structure of addition formula, the minimal degree of isogeny depends on not 
only the curve itself but also addition formula. Interestingly, three SEGG curves 
cannot be mapped to the curve with a = —3 that is secure against the ZVP 
attack. The curve with a = —3 is important for efficiency. We prove that this 
countermeasure cannot map a class of curve to the curve with a = —3 that is 
secure against the ZVP attack. This class satisfies that the curve order is odd 
and (—3/p) = — 1 for the base field p, and these three curves belong to this class. 

Moreover, we estimate the total cost of the scalar multiplication in the ne- 
cessity of resistance against both Goubin’s attack and the ZVP attack. We com- 
pare two efficient DPA-resistant methods, namely the window-based method and 
Montgomery-type method, with the countermeasure using isogeny, and present 
the most efficient method to compute the scalar multiplication for each SEGG 
curve. 

Finally we show another efficient method for computing the scalar multi- 
plication, namely using the point (0, y) for the base point. We can prove the 
discrete logarithm problem with the base point (0,p) is as intractable as us- 
ing a random one thanks to the random self reducibility. Gomparing with the 
previous method we are able to achieve about 11% faster scalar multiplication 
using the double- and- add- always method. This base point can also save 50% 
memory space without any compression trick. We propose the scenario to utilize 
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the proposed method efficiently and show the example of a curve to achieve this 
scenario. 

This paper is organized as follows: Section 2 briefly reviews known results 
about elliptic curve cryptosystems. Section 3 describes the choices of secure 
curve against the ZVP attack using isogeny. In Section 4 we show the efficient 
implementations using isogeny. In Section 5 we state concluding remarks. 



2 Elliptic Curve Cryptosystems 

In this section we review some results on elliptic curve cryptosystems related to 
isogeny. Let K = Fp be a finite field, where p > 3. The Weierstrass form of an 
elliptic curve over K is described as 

E ■. + ax + h {a,b € K, A = — 16(4a^ + 27 b^) yf 0). 

The set of all points P = (x, y) satisfying E, together with the point of infinity 
O, is denoted by E{K), which forms an Abelian group. Let P\ = {xi,yi) and 
P2 = {x2,y2) be two points on E{K) that don’t equal to O. The sum P3 = 
Pi + P2 = (a^SjJ/s) can be computed as X3 = \{Pi,P2)^ — xi — X2, ys = 
X{Pi,P2){xi - X3) - yi, where A(Pi,P2) = (3xi^ + a)/(2yi) for Pi = P2, and 
A(Pi , P2 ) = (j/2 — 2/1 )/ {x2 — xi) for Pi yf ±P2 . We call the former, Pi + P2 (Pi = 
P2), the elliptic curve doubling (ECDBL) and the latter, P1 + P2 (Pi yf ±p2), the 
elliptic curve addition (ECADD) in affine coordinate (x,y). These two addition 
formulae respectively need one inversion over K , which is much more expensive 
than multiplication over K. Therefore, we transform affine coordinate (x, y) into 
other coordinates where inversion is not required. In this paper we deal with 
Jacobian coordinates {X -.Y ■. Z) setting x = Xj and y = Y j Z^ . The doubling 
and addition formulae can be represented as follows. 

ECDBL in Jacobian Coordinates (ECDBL'^) : 

A 3 =T,Ys = -8Yi^ + M{S - T), Z 3 = 2YiZi, 

S = dAiYi^, M = 3Ai^ + aZl^ T = -2S + M^. 

ECADD in Jacobian Coordinates (ECADD'^) : 

A3 = _ 2 UiH^ + R^, Fa = -SiH^ + R{UiH'^ - A3), Z3 = Z1Z2H, 

Ui = AlZ2^ U 2 = AaFi^, Si = YiZ2^, S 2 = FaZi^, H = U 2 - Ui, R = S 2 - Si. 

We call these formulae as the standard addition formulae. For ECADD'^ we 
require 16 multiplications when Zi yf 1 and 11 ones when Zi = 1. For ECDBL'^ 
we require 10 multiplications in general, 9 ones when a is small, and only 8 ones 
when a = —3 by M = 3(Ai + Zi^)(Ai — Zi'^). Thus all SECG random curves 
over Fp with prime order satisfy a = — 3. In this paper, we are interested in the 
curves with prime order such as these curves. 
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2.1 Scalar Multiplication and Side Channel Attack 

The scalar multiplication evaluates dP for a given integer d and a base point P 
of ECC. A standard algorithm of computing dP is a binary method, which is im- 
plemented by repeatedly calling ECDBL and ECADD. Let d = {dn-i • • • dic?o)2 
be the binary representation of d where dn-i = 1 The binary method is as fol- 
lows: 



Binary method 

Input: an n-bit d, a base point P 
Output: scalar multiplication dP 

1. Q^P 

2. For i = n — 2 to 0 

2.1. Q ^ ECDBL(Q) 

2.2. if di = 1 then 

Q ^ ECADD(Q,P) 

3. Return Q 



Double-and-add-always method 
Input: an n-bit d, a base point P 
Output: scalar multiplication dP 

1. Q[0] ^ P 

2. For i = n — 2 to 0 

2.1. Q[0] ^ ECDBL(Q[0]) 

2.2. Q[l] ^ ECADD(Q[0],P) 

2.3. Q[0] ^ Q[di] 

3. Return (3[0] 



The SPA uses a single observation of the power consumption to obtain the in- 
formation of secret key. The binary method is vulnerable to SPA. Since ECADD 
is computed only if the underlying bit is 1 and a SPA attacker can distinguish 
ECDBL and ECADD, he can detect the secret bit. Coron proposed a simple 
countermeasure called as the double-and-add-always method [5]. The attacker 
cannot guess the bit information because this method always computes ECADD 
whether = 0 or 1. Two more efficient methods have been proposed. The 
first is window-based method [13,14,16] and the second is Montgomery-type 
method [3,6,8,9,10]. 

The DPA uses many observations of the power consumption together with 
statistical tools. To enhance SPA security to DPA security, we must insert ran- 
dom numbers during computation of dP. The standard randomization methods 
for the base point P are Coron’s 3rd countermeasure [5] and Joye-Tymen coun- 
termeasure [11]. In order to randomize the representation of the processing point, 
Coron’s 3rd countermeasure uses randomized representation of Jacobian (projec- 
tive) coordinates and Joye-Tymen countermeasure uses randomized isomorphism 
of an elliptic curve. 

2.2 Efficient Method Secure against DPA 

Window-Based Method The window-based method secure against SPA was 
first proposed by Moller [13,14], and optimized by Okeya and Takagi [16]. This 
method uses the standard addition formulae the same as the double-and-add- 
always method. It makes the fixed pattern jO • • • OxjO • • • Ox] • • • ]0 • • • Ox] for some 
X. Though the SPA attacker distinguishes ECDBL and ECADD in the scalar 
multiplication by measuring the power consumption, he obtains only the identi- 
cal sequence \D ■ ■ ■ DA\D ■ ■ ■ DA\ •••]£)••• DA\, where D and A denote ECDBL 
and ECADD, respectively. Therefore, he cannot guess the bit information. This 
method reduces ECADD as compared with the double-and-add-always method 
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and thus enables efficiency. In order to enhance this method to be DPA-resistant, 
we have to insert a random value using Coron’s 3rd countermeasure or Joye- 
Tymen countermeasure. Moreover, we have to randomize the value of table to 
protect 2nd order DPA. We estimate the computational cost of the scalar mul- 
tiplication dP according to [16]. Denote the computational cost of multiplica- 
tion and inversion in the definition field by M and I, respectively. The total 
cost is estimated as (16 • 2™ -I- {9w + 21)k — 18))M + I when a is small and 
(16 • 2^" -I- {8w + 21)fc — 18))M + I when a = —3, where n is the bit length of d, 
w is the window size, and k = \n/vj\. 



Montgomery- Type Method Montgomery-type method was originally pro- 
posed by Montgomery [15] and enhanced to the Weierstrass form of elliptic 
curves over K [3,6,8,9,10]. This method always computes ECADD and ECDBL 
whether = 0 or 1 as the double- and- add- always method, and thus satisfies 
SPA-resistance. In this method, we don’t need to use y-coordinate (F-coordinate 
in projective coordinates) to compute the scalar multiplication dP. This leads 
the efficiency of Montgomery-type method. In the original method ECADD and 
ECDBL are computed separately. However, Izu and Takagi encapsulated these 
formulae into one formula mECADDDBL to share intermediate variables and 
cut two multiplications [10]. Let Pi = (Ai : Zi) and P2 = {X 2 ■ Z 2 ) in pro- 
jective coordinates, which don’t equal to O, by setting x = XjZ. In the fol- 
lowing we describe the encapsulated formula mECADDDBL^, which compute 
P3 = (A3 : Z3) = Pi -I- P2 and P4 = (A4 : Z4) = 2Pi, where Pi yf ±P2, 
P3' = (A3' : Z3') = Pi - P2 and (A', Z' 0). 

ECADDDBL in Montgomery- Type Method (mECADDDBL^) : 

A 3 = Z3'(2(AiZ2-kA2Zi)(AiA2-kaZiZ2)-k46Zi2Z2^))-A3'(AiZ2-A2Zi)2, 

Z3 = Z3'(AiZ2-A2Zi)2, 

A 4 = {X^^Z2^ - aZ^^Z2^f - 86AlZl3Z2^ 

Z 4 = 4ZiZ2(AiZ2(Ai^Z 2^ -k aZi^Za^) -k hZ^^Z2^). 

We call this formula as Montgomery-type addition formula. mECADDDBL re- 
quires 17 multiplications in general and 15 ones when a is small. In order to 
enhance this method to DPA-resistant, we have to use Coron’s 3rd countermea- 
sure or Joye-Tymen countermeasure. The total cost of scalar multiplication dP 
is estimated as (17n-k8)M -k/ in general and (15n-k 10)M + 1 when a is small, 
where n is the bit length of the scalar d (see [8]). 

2.3 Isomorphism and Isogeny 

Two elliptic curves Pi(ai,5i) and ^2(021^2) are called isomorphic if and only 
if there exists r G K* such that ai = r^a2 and 61 = r®&2- The isomorphism is 
given by 

, J El — > E 2 

There are (p — l)/2 isomorphic classes. 
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Let <Pi{X,Y) be a modular polynomial of degree 1. Two elliptic curves 
Ei{ai,bi) and ^12(02,62) are called Lisogenous if and only if ^/(ji,j2) = 0 sat- 
isfies, where ji are j-invariant of curve ifi for i = 1, 2. Isogenous curves have the 
same order. The isogeny is given by 



: 



El 

{x,y) 



E2 

( fijx) 



where /i, /2 and g are polynomials of degree I, (3?— 1)/2 and {l — l)/2 respectively 
(see details in [2, Chapter VII]). By Horner’s rule, the computational cost of this 
mapping is estimated as (/ -I- (3? — 2)/2 -|- (^ — l)/2 -|- 5)M -|- / = (3^ -I- 4)M -|- I. 

The usage of isogeny for elliptic curve cryptosystem initially appeared for 
improving the order counting method (see, for example, [12]). Recently, some 
new applications of isogeny have been proposed, namely for improving the effi- 
ciency of the scalar multiplication [4], and for enhancing the security for a new 
attack [17]. 

Brier and Joye reported that isogeny could be used for improving the effi- 
ciency of ECDBL'^ [4] . Recall that if the curve parameter a of an elliptic curve is 
equal to —3, the cost of ECDBL'^ is reduced from 10 multiplications to 8 ones. 
If there is an integer r such that —3 = r^a, then we can transform the original 
elliptic curve to the isomorphic curve with a = —3. However, its success prob- 
ability is about 1/2 when p = 3 (mod 4) or about 1/4 when p = 1 (mod 4). 
They proposed that the isogeny of the original curve could have a curve with 
a = —3. 

Goubin proposed the new power analysis on ECC [7] . This attack utilizes the 
points (x, 0) and (0, y) that cannot be randomized by the above two standard 
randomization techniques. Goubin’s attack is effective on the curves that have 
point (x, 0) or (0,y) in such protocols as EGIES and single-pass EGDH. The 
point (x, 0) is not on the curve with prime order because the order of (x, 0) is 2. 
The point (0,y) appears on the curve if b is quadratic residue modulo p, which 
is computed by solving = 6. As a countermeasure to Goubin’s attack, Smart 
utilized isogeny [17]. He proposed that if the original curve E has the point 
(0,y), the isogenous curve E' to E could have no point (0,y). If we can find E' 
which has no point (0,y), we transfer the base point P G E to P' G E' using 
the isogeny tp : E ^ E' . Instead of computing scalar multiplication Q = dP, 
we compute Q' = dP' on E' and then pull back Q G E from Q' G E' by the 
mapping : E' ^ E. The mappings require (3^-|-4)M-|-/ respectively, 

so that the additional cost for this countermeasure is (6^ -I- 8)M + 21. 

At ISG’03, we proposed the zero- value point (ZVP) attack which is extension 
of Goubin’s attack [1]. We pointed out that if the point has no zero- value co- 
ordinate, the auxiliary registers might take zero-value. We found several points 
(x,y) which cause the zero-value registers and called these points as the zero- 
value points (ZVP). ZVP strongly depend on the structure of addition formula, 
and namely ZVP for the standard addition formulae are different from those for 
Montgomery addition formula. The points with the following conditions from 
EGDBL are effectively used for the ZVP attack. 
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— (EDI ) 3x^ + a = 0 for the standard addition formulae 
~ (MDl ) x'^ — a = 0 and (MD2) + a = 0 for Montgomery addition formula 

The attacker can utilize the points that cause the zero-value registers in 
EC ADD, however finding ZVP in EC ADD is much more difficult than in 
ECDBL. In this paper we consider only the above points (EDI), (MDl), and 
(MD2)). 

3 Isogeny Countermeasure against ZVP Attack 

In this section we examine the countermeasure using isogeny against the ZVP at- 
tack. In order to prevent the ZVP attack, we have to choose the curve which has 
neither the point {0,y) nor (EDI) for the methods using the standard addition 
formulae, and neither (0, y), (MDl) nor (MD2) for Montgomery-type method. 
The degree of isogeny depends on not only a curve itself but also addition for- 
mulae. We examine the standard curves from SECG [18]. 



3.1 Example from SECG Curve 

For example, we mention the curve secpll2rl from SECG curves [18]. secpll2rl 
E ■. + ax + b over Fp is defined by 

r p = 4451685225093714772084598273548427, 
a = 4451685225093714772084598273548424 = -3, 

[b = 2061118396808653202902996166388514. 

This curve does not have (0, y), but has (EDI ) 3x^ -I- a = 0 as 

(x,y) = (1,1170244908728626138608688645279825). 

Therefore secpll2rl is secure against Goubin’s attack, but vulnerable against 
the ZVP attack for the methods using the standard addition formulae. However, 
the 7-isogenous curve E' : y'^ = x^ + a'x + b' over Fp defined by 

r a' = 1, 

\b' = 811581442038490117125351766938682, 

has neither (0, y) nor (EDI ) 3a:^-|-a' = 0. Thus E' is secure against both Goubin’s 
attack and the ZVP attack for the methods using the standard addition formulae. 
We don’t require isogeny defense to prevent Goubin’s attack, but require the 
isogeny of degree 7 to prevent the ZVP attack. 

3.2 Experimental Results from SECG Curves 

For each SECG curve we search the minimal degree of isogeny to a curve which 
has neither (0,y) nor ZVP as described above. If the original curve has neither 
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(0,y) nor ZVP, we specify this degree as 1. For the standard addition formu- 
lae, we also search the minimal isogeny degree to a curve which we prefer for 
particularly efficient implementation, namely a = — 3 as described in section 2. 
We call the former as the minimal isogeny degree and the latter as the preferred 
isogeny degree, and define ^std, ^prf, and ?nint as follows: 

— Istd '■ the minimal isogeny degree for the standard addition formulae, 

— Zprf : the preferred isogeny degree for the standard addition formulae, 

~ ^mnt : the minimal isogeny degree for Montgomery-type addition formula. 

Here we show the searching method of these degrees for the standard addition 
formulae. 

Algorithm 1: Searching method for the standard addition formulae 

Input: E : y'‘ = + ax + b over IFp, j = j-invariant of E 

Output: minimal isogeny degree Istd and preferred isogeny degree Ipif 

1. Set I <— 3. 

2. Solve the equation = 0. 

3. If the equation has no solution then go to Step 4, else then 

3.1. Construct E' : + a' x -|- h' where j' = j-invariant of E' . 

3.2. Check E' has the point (0,y) and (EDI). 

3.3. If E' has then go to Step 4, else then 

3.3.1. If Istd is null, set istd ^ I- 

3.3.2. Check r e IFp* exists where r'^a' = —3 mod p. 

3.3.3. If exists then set Iprt ^ I and stop, else then go to Step 4. 

4. If i > 107 then stop, else then I ^ nextprime(i) and go to Step 2. 

In this algorithm nextprime(Z) is a function which returns the smallest prime 
number larger than 1. For Znint, we check (MDl ) and (MD2) instead of (EDI ) in 
Step 3.2. 

Table 1 shows isogeny degrees istd, iprf, and imnt for SECG curves. The num- 
ber in (•) is the minimal isogeny degree listed in [17], which considers only 
Goubin’s point (0,y) (not the ZVP). In order to prevent the ZVP attack, some 
curves require higher degree of isogeny, e.g., secpll2rl for istd- These isogeny de- 
grees depend on not only the curve itself but also the addition formula, namely 
some curves require different isogeny degrees for the standard addition formu- 
lae and Montgomery-type addition formula. Interestingly, we have not found 
preferred isogeny degree up to 107 for secpll2rl, secpl92rl, and secp384rl. 

3.3 Some Properties of ZVP Attack 

Here we show some properties of the zero-value point attack. 

Theorem 1. Let E he an elliptic curve over prime field Fp defined by = 
x^ + ax + b. The elliptic curve E has point (0,y), if E satisfies (MD2) x'^ + a = 0. 

Proof. If a = 0 or 6 = 0 holds, then the assertion is trivial. We assume that 
and bfi^O. Note that (0, y) exists on curve i? if 6 is a quadratic residue in 
F* . Let s € F* be the solution of equation x“^ + a = 0. Gondition (MD2) implies 
that there is a solution y = t oi equation y'^ = s^ + as + b. Thus E has point 
(0, t) due to -I- as -I- 6 = (s^ -I- a)a + b= b. 
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^std 


^prf 


^mnt 


secpll2rl 


7(1) 


> 107 (1) 


1 (1) 


secpl28rl 


7(7) 


7(7) 


7(7) 


secpl60rl 


13 (13) 


13 (13) 


19 (13) 


secpl60r2 


19 (19) 


41 (41) 


19 (19) 


secpl92rl 


23 (23) 


> 107 (73) 


23 (23) 


secp224rl 


1 (1) 


1 (1) 


1 (1) 


secp256rl 


3 (3) 


23 (11) 


3 (3) 


secp384rl 


31 (19) 


> 107 (19) 


19 (19) 


secp521rl 


5 (5) 


5 (5) 


7(5) 



Table 1. Minimal and preferred isogeny degree for SECG curves 



All curves which satisfy condition (MD2) have Goubin point (0,y). These 
curves are insecure against both Goubin’s attack and the ZVP attack. 

Theorem 2. Let E he an elliptic curve over prime field IFp defined by = 
+ ax + b. The elliptic curve E satisfies condition (EDI) 3a;^ + a = 0, if 
E satisfies the following three conditions: (l)a = —3, (2)ffE is odd, and (3)p 
satisfies (—3/p) = —1, where (•/•) is Legendre symbol. 

Proof. Since E has odd order, E does not have the point (a;,0), and thus the 
equation x^ + ax + b = 0 has no root. Then the definition of discriminant A yields 
{A/p) = 1. Note that condition (—3/p) = —1 implies {{b + 2){b—2)/p) = —1 due 
to A = -16(4(-3)3) + 2762) = -3(12)2(& + 2)(6-2). Thus either ((6+2)/p) = 1 
or ((& — 2)/p) = —1 holds. In other words, equation = a;^ + ax + & with a = —3 
and X = ±1 are solvable in y. Gonsequently, elliptic curve E with the above three 
conditions satisfies (EDI ) 3x^ + a = 0. 

The definition fields Fp that satisfy (—3/p) = —1 in Table 1 are secpll2rl, 
secpl92rl, and secp384rl. These curves also have odd order and satisfy a = —3. 
Therefore, these curves satisfy (EDI) and are vulnerable to the ZVP attack. 

Since the isogenous curve has same order as E, any isogenous curve with 
a = —3 always satisfies (EDI) and thus is insecure against the ZVP attack. We 
have the following corollary. 

Corollary 1. Let E be an elliptic curve over prime field Fp. We assume that 
f/E is odd and {—3/p) = —1. Any isogeny cannot map E to the curve with 
a = —3 that is secure against the ZVP attack. 

Gorollary 1 shows that it is impossible to find the isogenous curve with a = 
—3 which does not satisfy (EDI), namely Zprf-isogenous curve, for these three 
curves. 
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4 Efficient Implementation Using Isogeny 

4.1 Most Efficient Method for Each SECG Curve 

We estimate the total cost of the scalar multiplication in the necessity of resis- 
tance against both Goubin’s attack and the ZVP attack. This situation corre- 
sponds to the scalar multiplication in ECIES and single-pass ECDH. 

Here we notice the two efficient DPA-resistant methods, namely the window- 
based method and Montgomery-type method. We have to use the window-based 
method on Zgtd-isogenous curve because this method uses the standard addi- 
tion formulae. Isomorphism enables the efficient implementation with small a. 
Moreover, more efficient implementation with a = — 3 can be achieved on Ipri- 
isogenous curve. On the other hand, we have to use Montgomery- type method 
on Unfisogenous curve. Isomorphism also enables the efficient implementation 
with small a. 

Therefore, we mention the following three methods: 

Method 1 Window-based method with small a on ?std-isogenous curve. 
Method 2 Window-based method with a = —3 on Zprf-isogenous curve. 
Method 3 Montgomery-type method with small a on Unt-isogenous curve. 

From section 2 we estimate the total cost of each method as follows: 

Method 1 Ti = (16 • 2’^ + (9w + 21)k + 6Ud ~ 10)M -f 31. 

Method 2 Ta = (16 • 2^" -f (8w + 21)k + 6lprt - 10)M -f 31, 

Method 3 T3 = (15n -|- 6/mnt + 18)M -|- 31. 

If the isogeny degree equals to 1, the cost of isogeny (14M -|- 21) is cut. 

Table 2 shows the estimated cost for each SECG curve. Method 2 cannot 
be used for some curves because there is no preferred isogeny degree Ipri (no- 
tation ‘ — ’ indicates these curves). We emphasize the most efficient method for 
each curve with the bold letter. The most efficient method differs on each curve 
because the isogeny depends on the curve and implementation method. 

4.2 Efficient Scalar Multiplication Using (0, y) 

In this section we propose another improvement for computing the efficient scalar 
multiplication. 

In order to clearly describe our method, we categorize the improvement of 
efficiency into five classes, namely, (l)curve parameter (e.g. a = —3, Z = 1, 
etc), (2)addition chain (e.g. binary method, NAF, etc), (3)base field (e.g. op- 
timal normal base, OFF, etc), (4)coordinate (e.g. projective coordinates, Ja- 
cobian coordinates, etc). (5)curve form (e.g. Montgomery form, Hessian form, 
etc). The proposed method belongs to class (1), but its improvement is related 
to classes (2), (4), and (5). Our improvement can be simultaneously used with 
other methods in class one. For sake of convenience, we discuss the improvement 
for the double- and- add- always method in section 2 on the curve with parameter 
a = —3, Z = 1, Jacobian coordinate, and Weierstrass form. 
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Method 1 


Method 2 


Method 3 


secpll2rl 


1884M -k 3/ (w = 4) 


— 


1690M + I 


secpl28rl 


2112M -k3/ \w = 4) 


1984M -k 37 (w = 4) 


1980M + 31 


secplGOrl 


2604M + 3/ (w = 4) 


2444M -k 31 (w = 4) 


2532A7 -k 37 


secpl60r2 


2640M + 31 (w = 4) 


2612M -k 37 (w = 4) 


2532M + 31 


secpl92rl 


3120M + 31 (w = 4) 


— 


3036M + 31 


secp224rl 


3430M + I {w = 4) 


3206M -k I (w = 4) 


3370A7 -k 7 


secp256rl 


3912M + 31 (w = 4) 


3776M + 31 (w = 4) 


3876A7 -k 37 


secp384rl 


5770M + 31 (w = 5) 


— 


5892A7 -k 37 


secp521rl 


7462M -k 37 (w = 5) 


6937M -k 31 (w = 5) 


7875A7 -k 37 



Table 2. Total cost of scalar multiplication to resist Goubin’s attack and the 
ZVP attack 



The main idea of the improvement is to use the point (0, y) for the base 
point of the underlying curve, namely the point with the zero x-coordinate. 
The double- and- add- always method in section 2 is a left-to-right method, and 
thus the base point P is fixed during the scalar multiplication dP. The addition 
formula with the point AT = 0 is represent as follows: 

ECADD in Jacobian Coordinates with A = 0 (ECADDJ^q) : 

As = Ys = -SiH^ - RXs, Zs = Z 1 Z 2 H, 

H = A2Zl^ 51 = YlZ2^ 52 = A2^l^ R = S2- Si. 

We denote by ECADDJ_q the addition formula for ECADD in Jacobian 
Coordinates with A = 0. Formula ECADD requires only 14 multiplications 
when Zi I and 9 multiplications when Zi = 1. 

Therefore, we have the following estimation for n-bit scalar multiplication 
with a = — 3, Z = 1 using Jacobian coordinates and the double-and-add-always 
method in section 2. The propose scheme can achieve about 11% improvement 
over the scheme A yf 0. 





n-bit ECC 


160-bit ECC 


Scheme A % 0 


19nA7 


3040A7 


Scheme A = 0 


17nM 


2720M 



Table 3. Comparison of efficiency with A yf 0 and A = 0 



Here we have a question about the security of choosing the base point (0, y). 
The following theorem can be easily proven thank to the random self reducibility. 

Theorem 3. Let E be an elliptic curve over Fp. We assume that is a 
prime order. Breaking the discrete logarithm problem with base point (0, y) is as 
intractable as doing with a random base point. 
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Proof. (<J=) Let Pq be the discrete logarithm problem for the base point 

Go = (0,y) and a point Pq. We can randomize these points by multiplying 
random exponents r,s € namely let G = rGo,P = sPq be randomized 

points. From the assumption, we can solve a discrete logarithm problem log^ P, 
and thus the discrete logarithm log^^ Po = (logg P)r/s mod ffE. 

(=i>) Let Aq be an oracle which solves the discrete logarithm problem for the 
base point Gq = (0, y), namely Aq answers loggr^ Po for a random point Pq. We 
try to construct algorithm A that solves the discrete logarithm problem with 
a random base. Algorithm A is going to compute log^ P for random inputs 
G, P. Algorithm A randomizes G with a random exponent t G [l,ffE] and 
obtains discrete logarithm logg^ G by asking tG, Go to oracle Aq. Similarly, 
algorithm A obtains logg^, P. Then algorithm A returns the discrete logarithm 

fogG P = (fogGo ^)/(fogGo #P. 

From this theorem, there is no security disadvantage of using the based point 
(0, y). Another advantage of using the base point (0, y) is that memory required 
for base point is reduced to half. 

In order to utilize the proposed method efficiently, we propose the following 
scenario. If we need to resist against both Goubin’s attack and the ZVP attack 
as ECIES and single-pass ECDH, we compute the scalar multiplication on the 
original curve which has neither Goubin’s point (0,y) nor ZVP. Otherwise as 
EGDSA and two-pass EGDH, we compute on the isogenous curve of a small 
degree which has a point (0,y), and map the result point to the original curve 
using isogeny. 

We show the example of a curve to achieve this scenario. The curve E : y^ = 

+ ax + b over Fp defined by 

{ p = 1461501637330902918203684832716283019653785059327, 
a= 1461501637330902918203684832716283019653785059324= -3, 
b = 650811658836496945486322213172932667970910739301, 

#P = 1461501637330902918203686418909428858432566759883, 

has neither (0,y) nor (EDI) 3a;^ -|- a = 0. Therefore this curve is secure against 
both Goubin’s attack and the ZVP attack for the methods using the standard 
addition formulae. Then, the 3-isogenous curve E' : y'^ = x^ + a'x + b' over Fp 
defined by 

I a' = 1461501637330902918203684832716283019653785059324= -3, 

\b' = 457481734813551707109011364830625202028249398260, 

has the point G' = (0, y) such as 

G' = (0,914154799534049515652763431190255872227303582054). 

The isogeny if •. E ^ E' and : E' ^ E cost only 13M + 1 respectively. This 
cost is much smaller than improvement of the proposed method. The details of 
finding such a map are described in [2, Ghapter VII]. 
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5 Conclusion 

We examined the countermeasure using isogeny against the ZVP attack. We 
showed that a class of curves (including some SECG curves) is still insecure 
against the ZVP attack despite the countermeasure — it can be never mapped 
to the efficient curve that is secure against the ZVP attack. This class satisfies 
the following three conditions: a = —3, E has odd order, and (—3/p) = —1. The 
condition a = — 3 and E has prime order are important for security or efficiency. 
Thus the base field Fj, with (— 3/p) = 1 may be recommended. 

In the addition, we compare some efficient methods of computing the scalar 
multiplication for each curve from SECG in consideration of the resistance 
against the ZVP attack. Finally we proposed a positive use of Goubin’s point. If 
Goubin’s point is used for the base point of scalar multiplication, we can improve 
about 11% for the double-and-add-always method. 
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Abstract. In a practical system, a message is often encrypted more than 
once by different encryptions, here called multiple encryption, to enhance 
its security. Additionally, new features may be achieved by multiple en- 
crypting a message, such as the key-insulated cryptosystems and anony- 
mous channels. Intuitively, a multiple encryption should remain “secure” , 
whenever there is one component cipher unbreakable in it. In NESSIE’s 
latest Portfolio of recommended cryptographic primitives (Feb. 2003), it 
is suggested to use multiple encryption with component ciphers based 
on different assumptions to acquire long term security. However, in this 
paper we show this needs careful discussion, especially, this may not be 
true according to adaptive chosen ciphertext attack (CCA), even with all 
component ciphers CCA-secure. We define an extended model of (stan- 
dard) CCA called chosen ciphertext attack for multiple encryption (ME- 
CCA) emulating partial breaking of assumptions, and give constructions 
of multiple encryption satisfying ME-CCA-security. We further relax CCA 
by introducing weak ME-CCA (ME-wCCA) and study the relations among 
these definitions, proving ME-wCCA-security can be acquired by combin- 
ing IND-CCA-secure component ciphers together. We then apply these 
results to key-insulated cryptosystem. 



1 Introduction 

A practical cryptosystem often encrypts a message several times with indepen- 
dent secret keys or even distinct encryption schemes based on different assump- 
tions to enhance the confidentiality of message. We call such cryptosystems mul- 
tiple encryption, specifically double encryption and triple encryption for two 
times and three times multiple encryptions respectively. In this paper, we in- 
vestigate the security notion of multiple encryption against partial breaking of 
underlying assumptions as well as key exposure. 

* The second author is supported by a Research Fellowship from Japan Society for 
the Promotion of Science (JSPS). 
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Why Multiple Encryption. It is widely believed that multiple encryption 
provides better security because even if underlying assumptions of some compo- 
nent ciphers are broken or some of the secret keys are compromised, the con- 
fidentiality can still be maintained by the remaining encryptions. Historically, 
sudden emergence of efficient attacks against the elliptic curve cryptosystem on 
supersingular curves [23, 14] and on prime-field anomalous curves [28, 33, 27] 
have already reminded us the necessity to do this. Especially, it is suggested 
by NESSIE ([25], pp. 5, line 7-11) on asymmetric encryption scheme to “rtse 
double encryption using ACE-KEM and RSA-KEM with different OEMs gives 
a good range of security, based on various different assumptions ” , “if very long 
term security is important”. Furthermore, “Triple encryption that also uses a 
public-key scheme not based on number-theoretical assumptions might increase 
the security against future breakthrough” . However, it seems that this needs more 
careful discussions. 

On the other hand, multiple encryption can bring favorable additional new 
features to a scheme. Combination of ordinary threshold encryptions may yield 
new threshold encryption with various access structures. Many practical appli- 
cations achieving sender anonymity via practical open network, like Mix-net 
[7, 19], onion routing [7] and key-insulated cryptosystems [11] are all practical 
examples of multiple encryption. 

Contradiction to the Intuition. In this paper, we show that even if it 
consists of only independently selected semantically secure against adaptive cho- 
sen ciphertext attack (IND-CCA) secure components, a multiple encryption is 
not necessarily secure against chosen ciphertext attack (CCA) with with partial 
component ciphers broken. This contradicts our intuition at the first sight, but 
such “natural” constructions of multiple encryption can be shown easily to lose 
the CCA-security. Meanwhile, this result may imply CCA-security is too strong 
because practical schemes with “pretty good” security could be considered inse- 
cure in the sense. Then we propose a generic construction of multiple encryption 
scheme achieving CCA-security exactly. On the other hand, we relax security def- 
inition based on the “natural” constructions emphasizing practical usability, and 
investigate the relations among security notions for multiple encryption. Finally 
as a byproduct, we give the first generic construction of CCA-secure key-insulated 
cryptosystem. 



1.1 Related Work 

Multiple Encryption and Related Primitives. Multiple encryption has 
been used in practical schemes, for instance Triple DES. NESSIE [25] has also 
lately announced its recommendation to use (public key) multiple encryption 
with encryptions under diverse assumptions to ensure long term security. An- 
other example is the key-insulated cryptosystem, proposed by Dodis, Katz, Xu 
and Yung [11], whose generic construction is actually multiple encryption of 
messages under a number of keys from cover free family [21]. 
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Another important category of applications using multiple encryption are 
those practical implementations of anonymous channel in open network, such 
as, the Mix-net [19] and onion routing [7]. In these settings, several agents are 
appointed to transmit data from the sender to the receiver without revealing 
identity of the sender. Typical design of such protocols is to encrypt data under 
multiple public keys of these agents, which decrypt the data one layer after 
another until eventually reach the destination. It is essential to perform these 
decryption correctly, e.g., [1] has shown some practical attacks against some 
carelessly designed Mix-net protocols [20, 18], which if translated in our language, 
are insecure multiple encryption. 

A related notion to multiple encryption is the threshold cryptosystem [8, 
32], which maintains secrecy of decryption key even if part of the secret key 
servers storing key shares are compromised. However, all known constructions 
are based on particular number theoretic assumption and can be employed to 
only a restrictive range of applications. 



Security Notions. Standard definitions of public key encryption scheme are 
founded gradually in literature, e.g. [17, 12, 26, 4, 13]. Semantic security, first 
defined by Goldwasser and Micali [17], later refined by Goldreich [16, 15] and 
Watanabe, Shikata and Imai [34], captures the computational approximation of 
Shannon’s information-theoretic security [29], regulating that it should be in- 
feasible for any PPT (Probabilistic Polynomial Time) adversary to obtain any 
partial information about the plaintext of a given ciphertext. Another rather 
technical definition, indistinguishability, defines that given a ciphertext an ad- 
versary cannot distinguish which plaintext is encrypted from two plaintexts. In- 
distinguishability is proven to be equivalent to semantic security in several attack 
models, namely chosen plaintext attack (CPA), (non-adaptive) chosen-ciphertext 
attack (CCAl) and adaptive chosen-ciphertext attack (CCA2) [17, 16, 34, 15]. 
Another intricate notion, non-malleability, defined by Dolev, Dwork and Naor 
[12, 13] formulates that the adversary should not be able to create a ciphertext 
of a different message that is meaningfully related to the original ciphertext and 
non-malleability implies indistinguishability in all above three attack models. In- 
dependently in [4] and [13], indistinguishability and non-malleability are proven 
to be equivalent under (adaptive) chosen-ciphertext attack (herefter CCA). 

CCA-security is crucial in analyzing security of protocols. Mainly it allows 
the adversary can make arbitrary decryption queries on any ciphertext other 
than the target message. However, Shoup first argues CCA-security is too strin- 
gent for practical schemes and suggests “benign malleability” in the proposal 
for ISO public key encryption standard [31], as a relaxation for CCA model. 
An, Dodis and Rabin [3] give similar discussion under the name “generalized- 
CCA” (gCCA). In these two relaxed definitions, a relation function checks and 
rejects “obvious” decryption queries decrypted to the target message. Ganetti, 
Krawczyk and Nielsen recently propose another relaxation, RCCA (Replayable 
CCA), which is strictly weaker than gCCA in most of cases [6]. 
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Previous Work on Multiple Encryptions and Relations. Multiple en- 
cryption was addressed by Shannon as early as [29] under the name “product 
cipher”, and in [9, 24, 2] in context of symmetric key cryptosystems. Massay 
and Maurer [22] have also studied the problem under the name “cascade ci- 
pher”. However, all above work lacks considerations for CCA-security and is not 
adequate, for applying their underlying notions to public key setting straight- 
forwardly, even only to the sequential case. 

In ongoing work of [10], Dodis and Katz, independently of our work, propose 
another generic construction of CCA-secure multiple encryption. The security 
of their scheme can be proven in the standard model and can be generated to 
threshold settings. The difference lies in that first their scheme needs CCA-secure 
components while we only require component ciphers to be CPA secure. Besides, 
threshold setting seems not fit for our main goal “to enhance security of single 
component cipher”. So far, they have presented their work in Rump Session 
in Crypto’03, Aug. 2003, while an earlier version [36] of our work was publicly 
announced in SCIS’03, Jan. 2003. 

1.2 Our Contributions 

Our contributions lie in following aspects: 

Model and Security Definition of Multiple Encryption. We give the 
first formal model regarding public key multiple encryption. To the best of our 
knowledge, no previous work has strict formalization including CCA-security on 
this respect, and actually our model can be extended to both public key and 
symmetric key based cryptosystems. Our model consorts the modular design: 
combining “secure” component ciphers to have a “secure” multiple encryption. 
As a theoretical extension of traditional security definitions, we give the corre- 
sponding security definitions on multiple encryption based on indistinguishabil- 
ity and non-malleability against different attacks, especially chosen ciphertext 
attack (ME-CCA). Without loss of generality, breaking underlying assumptions 
of component ciphers can be esuriently modelled as the secret key is leaked to 
the adversary. Also some analyses here can be applied to symmetric key schemes. 

Vulnerability of Natural Multiple Encryption. We demonstrate ge- 
neric attacks against some “natural” constructions of multiple encryption 
schemes with each component IND-CCA-secure, by an adversary that breaks the 
indistinguishability of the scheme with only accesses to the Decryption Oracle 
and the Key Exposure Oracle. In fact, such adversary even breaks the oneway- 
ness. This suggests the necessity that multiple encryption should be treated as 
a separate primitive from single encryption. 

Secure Construction of Multiple Encryption. We build multiple en- 
cryption schemes satisfying “strong” security, e.g. CCA from those satisfying 
only “weak” security, e.g., CPA. Though this task can be achieved using general 
zero-knowledge proof or one-time signature, considering efficiency of practical 
schemes, we design a scheme that is provably secure in the random oracle model. 
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Re-defining Security of Multiple Encryption. IND-CCA-security has 
been treated as standard definition for single encryption, which is shown mod- 
ular design can be achieved for cryptographical protocols in the UC framework 
[5]. However, our analysis shows CCA-security may be too stringent since even 
IND-CCA-secure components would result in a CCA insecure multiple encryption 
for most of “natural” constructions. We argue the CCA-security definition is 
too strong for defining the multiple encryptions. As a reasonable relaxation, we 
give a new security definition named weak chosen ciphertext attack for multiple 
encryption (ME-wCCA) that is sufficient in most of interesting cases. 

Security Notions of Multiple Encryption. We study the relations among 
different security definitions for multiple encryption. We believe a good analysis 
of these relations will help protocol designer more than simply give a specific 
construction based on concrete mathematical assumptions. Security definitions, 
namely indistinguishability and non-malleability, are formulated under differ- 
ent attack models. We show indistinguishability and non-malleability are still 
equivalent under ME-CCA, which corresponds to previous results: A multiple 
encryption degenerates to an ordinary public key cryptosystem, if there is only 
one component cipher in it. Similar relation holds for the relaxed definitions. 

Application to Key Insulated Encryption. We reconsider the chosen 
ciphertext security of key-insulated encryption. It is only previously known in 
[11] that a generic construction exists provably secure against CPA attack. In this 
paper, we show that their scheme is in fact provably secure in the relaxed wCCA 
model, which reasonably supports the correctness and practical usability of their 
scheme. We further give a generic construction meeting exact CCA-security (in 
the random oracle model). We point out this is the first generic construction of 
CCA-secure key-insulated cryptosystem ever reported. 

2 Multiple Encryption 

Informally a multiple encryption is to encrypt a message by multiple cryptosys- 
tems. A multiple encryption scheme M£ is generated by component ciphers. 

Specification Multiple encryption is a cryptosystem composed by separate 
component ciphers, each of which may be independent. Suppose {£i}i<i<n is a 
set of compatible component ciphers, where for £i, 

Enc-Gerii a probabilistic key-generation algorithm, with the input (1^) 
and the internal coin dipping produces a public-secret key pair 
(pki,sh); 

EnCi an encryption algorithm, with an input message mi G Mi and the 
public key pki, with the internal coin dipping, outputs a ciphertext 

Ci € Ci , 

DeCi a decryption algorithm, which is a deterministic algorithm, with 
the input ciphertext Ci and the secret key ski, outputs a message 
TOi or “_L”. 
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A multiple encryption is a 3-tuple algorithm (MEnc-Gen,MEnc,MDec), where 
each algorithm may be combined from a number of public key cryptosystems 
with a unifilar connecting order. MEnc-Gen invokes every Enc-Gerii, and writes 
their outputs to a key list with public keys PK = (pki, ...,pkn) and secret keys 
SK = {ski, ■■■, skn)- MEnc with an input message M from message space M and 
PK, performs encryption MEnc on M by invoking a list of component encryption 
algorithms, eventually outputs a ciphertext C £ C. The decryption algorithm 
MDec takes {C,SK) as input and outputs M, or “_L” if C is invalid. We also 
denote in brief the encryption algorithm as MEnc(M; COIN) (or MEnc(M)), and 
the decryption algorithm as MDec(C) in clear context, where COIN stands for 
the randomness used the multiple encryption. Essentially, we have two typical 
constructions: parallel construction, e.g., the generic construction given in [11], 
which the message is first split into shares by secret sharing then encrypted 
separately; sequential construction, e.g., the cascade cipher studied in [22], the 
message is encrypted by one component cipher then encrypted by another, and 
eventually forms the ciphertext. By combining these two constructions, we get 
a hybrid construction, which we refer to hereafter as “natural” construction. 

3 Chosen Ciphertext Security for Multiple Encryption 

Partially breaking of underlying assumptions (key exposure) is usually not con- 
sidered in the security of a normal public key encryption scheme, such as IND- 
GGA, whereas a multiple encryption should remain secure even when most of 
the underlying assumptions are broken. Since this gap cannot merge sometimes, 
modifications should be performed to the (standard) GGA-security definition in 
order to catch this act. We here introduce an additional oracle into standard 
GGA game to emulate this scenario: a Key Exposure Oracle that upon the adap- 
tive request of the adversary, reveals secret keys of the component ciphers to 
the adversary. Note that more has been considered in our model than mere key 
exposure and the situations are more complicated. 

Oracle Access Rules. There are three oracles in our model: An Encryption 
Oracle SO, which upon calling with input (Mg, Mi), returns C\, the encryption 
of Mb, where b G {0, 1} decided by internal coin flipping. A Decryption Oracle 
VS, upon decryption query C, outputs M = MDec(C'), if C yf Cb] otherwise, 
“T” . A Key Exposure Oracle, upon calling with i as one index of entire n compo- 
nent ciphers, 1 < z < n, returns the corresponding secret key ski. The adversary 
can access three oracles in any order at any time of its choice, but it can only 
query SO once and ICS at most n — 1 times. 

Definition 1 (IND-ME-GCA). Assume any PPT adversary play the following 
game with a multiple encryption M.S. First key generation algorithm MEnc-Gen 
is run. The public key PK = {pki\i = l,...,n} is then given to an Encryp- 
tion Oracle SO and the adversary. The secret key SK = {skt\i = l,...,n} is 
given to a Decryption Oracle VO and a Key Exposure Oracle ICS . The adversary 
chooses to access the three oracles in any order and at any time. According to the 
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timing of access to SO, the adversary’s strategy is divided into two algorithms 
(„4find, -4gjess), where ^find tries to find (Mg, Mi) to submit to SO which returns 
Cb, and -4gjess tries to output a guess on b. If the difference of the success prob- 
ability of the adversary A compared to random guess in the IND-ME-CCA game 
is negligible: 

< ^ + neg(fc) 

then we call this MS IND-ME-CCA-secwre. 



Pr 



b = b 



{PK, SK) 

R 



MEnc-Gen(l'=),(Mo,Mi,a) ^ Am 



{0, l},Cb ^ MEnc(Mb),fe^ A 



Ke,T>o 



{Cb,a) 



Non-malleability of multiple encryption against CCA (NM-ME-CCA) is sim- 
ilar to IND-ME-CCA except that the adversary succeeds by outputting a new 
ciphertext with is “meaningfully” related to the challenge ciphertext. That is, 
suppose i? is a prescribed relation, then the adversary wins, if the adversary 
could output a different ciphertext C from the challenge ciphertext Cb, with 
two plaintexts decrypted from C and Cb satisfying R {R outputs TRUE). 

Definition 2 (NM-ME-CCA). Denote M,C as sets of plaintexts and ciphertexts 
being empty initially, respeetively. Aeeording to the above aecess rules for the 
three oracles, if any PPT adversary in the following game has success probability 
negligibly close to 1/2, we eall the multiple eneryption scheme NM-ME-CCA- 
secure. 





■ 


(PK,SK) ^ MEnc-Gen(R),(Mo,Mi,a) ^ 


Pr 


b= 1 


Cb MEnc(Mi), (R,C) ^ a), 




. 


M ^ MDec(C), {Cb ^ C) A (T ^ M) A R{Mb,M) 



< 2 + neg(fc) 



These definitions are also applicable to chosen plaintext attack CPA by let- 
ting DO always output an empty string on any decryption query, which results 
in the definition of chosen plaintext attack for multiple eneryption M E-CPA. 
Analogously, we can define IND-ME-CPA, NM-ME-CPA. By fixing the number of 
component ciphers n = 1 in the dedition of IND-ME-CCA (or NM-ME-CCA), we 
obtain definition of the standard IND-CCA (or NM-CCA). 



4 Insecurity of Natural Constructions 

Given each component IND-CCA-secure, let’s consider the following problem: 
Is the above “natural” construction IND-ME-CCA-secure? Rather disappointing, 
the answer is negative. All “natural” constructions seem insecure without further 
treatments. 

Basic Analysis. At the first glance, one may think all multiple encryption 
schemes from such construction should be secure, since each component is cho- 
sen independently from each other and satisfies strong security notion IND-CCA, 
then all outputs will be indistinguishable from random sequence. However, this 
reasoning is fallacious. The flaw is in that this does not consider the case that 
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the adversary can make use of T>0. In this case T>0 can be very helpful be- 
cause every ciphertext different from the original can be decrypted and returned 
according to the definition of CCA attack. Then all the adversary needs to do 
is to modify the challenge ciphertext to a “new” one but decrypt to the same 
message, and submit it to the Decryption Oracle VO. In the (standard) CCA set- 
ting, the adversary cannot do this easily because the secret key is kept privately. 
However, in ME-CCA setting, partial key can be exposed by the Key Exposure 
Oracle ICS, moreover, since every component is semantically secure, as it must 
be probabilistic, where there exist at least two valid ciphertexts Co, Ci G C with 
MDec(Co) = MDec(Ci) = M, where M G M is any valid plaintext. Further- 
more, we have the following theorem (The proof can be found in the full version 
of this paper [35].). 

Theorem 1. There exists insecure multiple encryption in the sense of IND-ME- 
CCA, even if it contains only independent IND-CCA-secure component ciphers. 

Discussion. The theorem shows only the case of indistinguishability under ME- 
CCA attack. We briefly explain the case of onewayness against chosen ciphertext 
attack for multiple encryption, denoted as OW-ME-CCA. Onewayness can be 
informally described as: given ciphertext C, output the plaintext M. It is a 
strictly weaker notion than indistinguishability. However, the proof of Theorem 
1 tells us that not only I ND- ME-CCA, but also onewayness may not be maintained 
in ME-CCA model, even if all the components are CCA-secure. On the other hand, 
we can see such natural schemes are malleable because the adversary can easily 
produce a “new” ciphertext with a proper key exposure query and simulates the 
Encryption Oracle. NM-ME-CCA-security better explains why the adversary can 
launch that attack: it actually has produced a ciphertext with relation that it 
contains the same plaintext to the challenge ciphertext. NM-ME-CCA-security is 
not trivially obtainable in such situations, either. 



5 A Generic Construction for Secure Multiple Encryption 

We have shown that the simple modular design without further treatment of mul- 
tiple encryption is not sufficient to yield ME-CCA-security. Then two questions 
arise naturally: First, does a ME-CCA-secure multiple encryption exit? Second, 
whether a generic construction with ME-CCA-security can be combined from 
component ciphers with weaker security, e.g., onewayness against chosen plain- 
text attack (OW-CPA) security? We answer both questions by giving a generic 
construction combining component ciphers of weak security (OW-CPA) to ME- 
CCA-secure multiple encryption. 

For the “natural” constructions, ME-CCA-security is hard to achieve with 
simple connections of component ciphers because partial exposure of the secret 
keys will always cause malleability of ciphertexts. This prompts us the necessity 
to check the randomness used in encryption to ensure the validity of all parts 
of a ciphertext before outputting the plaintext. Suppose all randomness used in 
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the encryption can be verified during decryption, then the Decryption Oracle 
in fact does not help the adversary: If the adversary can pass the randomness 
verification, with overwhelming probability, it has already known all the ran- 
domness used. This can further be achieved by embedding all randomness into 
the plaintext, then consistence of all randomness can be verified in the decryp- 
tion phase, i.e., the adversary must be forced to have known the corresponding 
plaintext when it submits a valid ciphertext query. Then a multiple encryption 
will be secure if an adversary cannot break all underlying component ciphers. 

5.1 Secure Construction of Multiple Encryption 

ME-CCA constructions based on any public key encryption components with OW- 
CPA security that is satisfied by most practical public key encryption schemes. 
Recall Si is the f-th component cipher of the multiple encryption, EnCi{mi,pki; 
CDINi) and DeCi(ci, ski) are the encryption algorithm and decryption algorithm 
for Si (in short Enci(mi; COINi) and Deci(ci), respectively), where pki is the 
public key and ski is the secret key of Si (see section 2). We further design 
the following construction. Denote Hi : {0, 1}* ^ {0, 1}^ {ki is the length of 
necessary random coin for Si) and Gi : {0,1}* ^ {0,1}^ {h is the length of 
Ci 2 ) as random functions. For parallel multiple, one can consider the following 
construction: 

Key-Generation MGen-Enc(l^): {pki, ski)^Gen-EnCi, for 1 < z < n; PK = 
{pki,...,pkn), SK = (sfci,...,sfc„). 

Encryption MEnc(M, PAT): (mi,...,m„) T{M). n Gr {0,1}*, for 1 < 

i < n. For z-th component cipher: cn ^ EnCi(rz; i/z(M, ri, ..., r„)), Ci 2 <— 
Gi{ri) (Brrii, Ci = {cn, 0 ^ 2 ), 1 < z < rz. Outputs C = (ci, ..., c„) as ciphertext. 
Decryption MDec(C, SAT): n <— DeCi(cii), fhi = G{fi) 0 Ci 2 , I < i < n. 
Outputs M ^ T{rhi, ...,fhn) as plaintext if 01 = EnCi(ri; Pi(M, fi, ..., r„)), 
otherwise “T”. 

We prove the following theorem holds for above construction, whose proof 
can be found in the full version of this paper [35]. Based on the same idea, one 
can design a secure construction for sequential multiple encryption, of which an 
example can be found in [35] . 

Theorem 2. Multiple encryptions from above constructions are secure IND-ME- 
CCA-secure in the random oracle model. 

Discussion. One complementary remark should be addressed on the unifor- 
mity of underlying primitives. What we have considered so far is mainly non- 
deterministic component ciphers. For deterministic primitive public key encryp- 
tion, e.g., RSA, above construction is not sufficient, however, it can be modified 
to fit this transform. Furthermore, if all the component ciphers are deterministic, 
the task is easier: just connect them together and set proper padding schemes 
as pre-procession of the message, like OAEP0 [30], and form the whole multiple 
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encryption with parallel construction with compatible input domain, or sequen- 
tial connecting one after another. AONT can be even replaced by OAEP-h. This 
construction should also be secure because if the encryption primitive is deter- 
ministic, an adversary cannot re-encrypt the corresponding parts of a ciphertext 
into valid new part to produce another ciphertext even if it seizes corresponding 
secret keys. We shall give formal analysis regarding the deterministic encryption 
primitive in the forthcoming work. 

6 New Security Definitions for Multiple Encryption 

It seems contradictive to our intuition that though component ciphers are inde- 
pendent, even onewayness may lose with just simple connection of independently 
chosen ciphers. However, if we follow the CCA-security, it is doomed to appear 
completely insecure. From another aspect, it suggests that CCA-security may 
be somehow excessively strong. In the real world, it is unreasonable that T>0 
helps such obvious attacks. A well-known example states that a new cipher S' 
constructed from a CCA-secure cipher S, where a harmless bit is appended to 
the ciphertext of S and is discarded during decryption, is no longer secure in 
the sense of CCA. In fact such attack to S' should be easily judged and have “no 
significant difference” in most of interesting cases. When T>0 encounters such 
queries, it should easily determine whether this is really a “new” ciphertext, by 
just looking at the ciphertext. 

6.1 Relaxing Security Definition Regarding Multiple Encryption 

CCA-security might be too strong and is not always necessary, as pointed out 
in [31, 3, 6], among which, Shoup’s “benign malleability” [31] and An, Dodis 
and Rabin’s “gCCA” [3] are basically equivalent: a relation function TZT helps 
the Decryption Oracle against obvious attacks. In gCCA definition, the relation 
function performs as follows: if TZ!F{c,c') = TRUE Dec(c) = Dec(c'). The 
opposite direction does not hold, otherwise, the relation function can be used 
as an oracle breaking the indistinguishability. There must be 3 (c, c'), such that 
TZT{c,c') = FALSE, with Dec(c) = Dec(c') (refer [3] for more details). Canetti, 
Krawczyk and Nielsen [6] recently propose another relaxation, called “replayable 
chosen ciphertext attack” (RCCA), with most of cases strictly weaker than gCCA. 

To rule out the definitional limitation of CCA-security in multiple encryption 
setting, we also introduce a relaxed definition called “weak chosen ciphertext 
attack for multiple encryption” (ME-wCCA). In the definition of wCCA, there 
is a relation function TZT* is computed by invoking TZTi (1 < z < n) during 
the decryption process inside T>0, with initial value of each TZTi set to FALSE, 
where TZTi is the relation function defined according to gCCA-security for i- 
th component cipher £i. TZT i{ci, c'f) = TRUE Dec(ci) = Dec(c'). Whenever 
TZTi = TRUE for some z, TZT* halts and returns TRUE to T>0 immediately. 
Once receiving TRUE, T>0 outputs “T” to the adversary. Informally, if TZT* 
finds a part (may be the intermediate decryption result) of the query ciphertext 
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looks “the same” as the corresponding part of the challenge ciphertext, it tells 
the Decryption Oracle to reject this decryption query. Since the rules for oracle 
access is the same, the definition of IND-ME-CCA only needs to be modified a 
little to adapt to IND-ME-wCCA. 

We stress that ME-wCCA-security is a reasonable relaxation for CCA-security. 
This notion is basically an extension of gCCA-security. By restricting a multiple 
encryption to only one component cipher, IND-ME-wCCA becomes IND-gCCA. 

Definition 3 (IND-M E-wCCA). In this game, every thing is the same except the 
operation of the Decryption Oracle VO. The Decryption Oracle VO is equipped 
with a Relation Function TZiF* inside, which is computable in polynomial time. 
The scheme is secure if any probabilistic polynomial time adversary has success 
negligibly close to 1/2. 

p,L ft [PK, SK) ^ MEnc-Gen{/), {Mo, M^, a) ^ 

[ {0,1}, Cb^Enc{Mb),b^ a) \ 2 

The following lemma shows that IND-ME-wCCA-secure multiple encryption 
can be acquired from IND-gCCA-secure component ciphers (for proof see [35]). 

Lemma 1. A multiple encryption scheme MS is IND-ME-wCCA-secwre w.r.t. 
TZiF* by any of three basic constructions, if each component cipher Si is IND- 
gCCA-secure w.r.t relation function TZTi, 1 <i <n. TZT* is defined as IZT*{C, 
C) = TRUE, such that VT i(ci,d/) = TRUE for some i, 1 < i < n, where Ci, c' 
are two ciphertexts of Si, and C, C are the corresponding ciphertexts for MS . 

Since IND-CCA always implies IND-gCCA, we have the following theorem: 

Theorem 3. If all component ciphers are IND-CCA-secrtre and chosen indepen- 
dently according to above “natural” constructions, then the resulting multiple 
encryption is IND-ME-wCCA-secrtre. 

In fact, each attack per theorem 1 can construct a new ciphertext with the 
same plaintext. Since non-malleability is an arduous goal for multiple encryp- 
tion, we define relaxed gNM-ME-CCA similar to IND-ME-wCCA. Informally, the 
definition limits that the adversary does not win as long as it outputs with a 
new ciphertext with the equivalence relation regulated by the relation function 
to the challenge ciphertext, where the relation function is defined analogously 
to that of IND-ME-wCCA. 

Definition 4 (gNM-ME-CCA). A multiple encryption scheme is generalized- 
non-malleable against ME-CCA attack if for any PPT adversary, which is as- 
sisted by Decryption Oracle VO, and a Key Exposure Oracle ICS, it cannot pro- 
duce a new ciphertext with relation other than what the Relation Function KT* 
specifies with non-negligible probability, where IZT* is defined identical to ME- 
wCCA. Denote M,C as sets of plaintexts and ciphertexts being empty initially, 
respectively. 

(PA',S'A') MEnc-Gen(l'=),(Mo,Mi,a) ^ 1 ^ 

Pr fe=l Cb^MEnc{M/,{R,C)^ A 2 ^'^^iCb,a,Mo,M/, < ^ + neg(fc) 

MDec(C),(C6 ^ C) A (T ^ M) A R{Mb,M) A {R / nP*)\ 
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gNM-ME-CCA is a strictly weaker notion than NM-ME-CCA-security (cf. IND- 
ME-wCCA to IND-ME-CCA). 

7 Relations among Secnrity Definitions 

In this section, we discuss the relations among security definitions of multi- 
ple encryptions. The good news is that in multiple encryption scenario indis- 
tinguishability and non-malleability are still equivalent under ME-CCA attacks 
(IND-ME-wCCA is equivalent to gNM-ME-CCA). The proofs of these theorems 
are left to the full version of this paper [35]. 

Theorem 4. IND-ME-CCA NM-ME-CCA 
Theorems. IND-ME-wCCA gNM-ME-CCA 

Theorem 6. IND-ME-wCCA^ IND-ME-CPA, IND-ME-CPA^ IND-ME-wCCA. 

8 Applications to Key-Insulated Cryptosystem 

The key-insulated cryptosystem is proposed by [11] to protect cryptosystems 
against partial key exposure. In such system, encryption is done in an insecure 
user device. Additionally, there is a physically secure server that stores a master 
key. With the help of this server, user keys are updated periodically so that com- 
promise of user keys in some periods does not affect the system in other periods. 
In [11], a generic construction is proposed based on arbitrary semantically secure 
public key encryption against chosen plaintext attack. Recall that the authors of 
[11] do not claim their generic construction CCA-secure. 

At the first look, because of the property of cover-free family even if the secret 
keys are compromised in t periods, at most t — \ secret keys of a period other 
than these t are known to the adversary. Since the message is split into shares by 
AONT, we know it is computationally infeasible to break the indistinguishability 
even after viewing part of the sub-messages generated by AONT. However, an 
adversary actually can bypass the hard task and just needs to try to modify 
the challenge ciphertext using known secret keys in order to get help from the 
Decryption Oracle T>0. In fact, it can obtain any secret key skj by sending 
adaptive query to the Key Exposure Oracle ICS for skj in some period i with 
j € Si- Then it can decrypt Cj = Encjirrij), and re-encrypt it. It can always 
succeed to produce c' = EnCj(mj) with c' yf Cj, since according to the system 
settings, all component ciphers are semantically secure. Now the adversary can 
replace Cj with dj and submit this “new” ciphertext C to T>0, which will return 
the corresponding message M . This attack works for any period i. 

The original generic construction of [11] does not satisfy chosen ciphertext 
attack security, actually if every component cipher is chosen IND-CCA-secure, 
this generic construction is actually IND-ME-wCCA-secure (Theorem 3). We note 
that this scheme still provides very practical security. 
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8.1 CCA-Secure Key-Insulated Cryptosystem 

The feasibility of constructing a CCA-secure key-insulated cryptosystem (par- 
allel multiple encryption) has already been shown in section 5.1. We are only 
fascinated at whether given IND-CCA-secure ciphers as building blocks, a paral- 
lel construction can be transformed to a CCA-secure key-insulated cryptosystem 
with minimum modification. Recall coini is the auxiliary randomness input for 
encryption component £i. Let coini = h{r\\lndexi), where r is a random num- 
ber, Indexi is the description of i-th component and A is a random function. The 
Encryption is C = MEnc(M| |r; (coini, ..., coin„)), especially for IND-CCA com- 
ponent £i, EnCi(mi; coini) where nii is generated from AONT with input M||r. 
Decryption process becomes: for a ciphertext C", M'||r' = MDec(C"), output M' 
only if c' = EnCi(mi; h{r' \ \lndexi)) is well formed, for every 1 < z < n. When- 
ever it is detected that a ciphertext has used invalid randomness, the Decryption 
Oracle rejects this query immediately. 

It is easy to see this scheme satisfies the security definition of [11] under 
CCA attack. The proof is easy and will be omitted here. We point out this is 
actually the first generic construction of key-insulated cryptosystem enjoying 
CCA-security (Another generic construction for CCA-secure key-insulated cryp- 
tosystem will be given by Dodis and Katz in their upcoming work, whose security 
can be proven in the standard model.). In fact, this transform turns IND-ME-CPA 
secure multiple encryptions into IND-ME-CCA-secure ones. 
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Abstract. We present two new schemes for efficient certihcate revoca- 
tion. Our first scheme is a direct improvement on a well-known tree-based 
variant of the NOVOMODO system of Micali [11]. Our second scheme 
is a direct improvement on a tree-based variant of a multi-certificate re- 
vocation system by Aiello, Lodha, and Ostrovsky [1]. At the core of our 
schemes is a novel construct termed a QuasiModo tree, which is like a 
Merkle tree but contains a length-2 chain at the leaves and also directly 
utilizes interior nodes. This concept is of independent interest, and we 
believe such trees will have numerous other applications. The idea, while 
simple, immediately provides a strict improvement in the relevant time 
and communication complexities over previously published schemes. 



1 Introduction 

As we move to an increasingly online world, public-key cryptography will be 
prevalent. Underlying such use we must have a public-key infrastructure (PKI) 
that constitutes the policy, procedures, personnel, components, and facilities for 
binding public keys to identities or authorizations for the purposes of offering 
desired security services. Typically, a PKI includes a certificate authority (CA) 
that not only issues binding certificates but also manages them. When issuing a 
certificate, the CA obviously must check that a user’s credentials are accurate, 
but even a legitimately issued certificate may need to be revoked. Handling 
revocation is one of the most challenging components of certificate management. 

The Certificate Revocation Problem. While a certificate’s validity may be 
limited by an expiration date, we may sometimes wish to revoke a certificate prior 
to this time. For example, a key holder may change his affiliation or position, or 
his private key may have been compromised. This problem is both fundamental 
and critical - the lack of an efficient solution will hinder the widespread use of 
PKI. Accordingly, we need an efficient mechanism for revoking a certificate. 

One common approach is a certificate revocation list (CRL), which is a signed 
and time-stamped list issued by the CA specifying which certificates have been 

* A very preliminary portion of this work was conducted when F. Elwailly and Z. 
Ramzan were at IP Dynamics, Inc. 
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revoked according to some identifier like a serial number. These CRTs must 
be distributed periodically, even if there are no changes, to prevent illegitimate 
reuse of stale certificates. CRTs are appealing because of their simplicity. How- 
ever, their management may be unwieldy with respect to communication, search, 
and verification costs. An alternative approach, proposed by Kocher [7], is a Cer- 
tificate Revocation Tree (CRT), which is a Merkle tree that associates each leaf 
with a revoked certificate. We describe Merkle trees in greater detail below. 

Rather than posting full-fledged lists of revoked certificates, the CA may in- 
stead answer online queries about specific certificates. This approach is used in 
OCSP [13], but it has limitations. In particular, the CA must sign each response, 
which may be computationally infeasible given that it may have to handle nu- 
merous requests. A centralized CA creates a major scalability issue because all 
requests are routed through it. On the other hand, a decentralized CA may lower 
security since the precious signing key will be replicated on multiple servers, 
thereby creating multiple attack points. 

The NOVOMODO Approach. Micali [10, 11, 12] addressed these problems 
in an elegant scheme now called NOVOMODO. His scheme works with any 
standard certificate format such as X.509 and allows a CA to provide validity 
status of a certificate at any pre-specified time interval such as a day, an hour, 
etc. NOVOMODO uses a hash chain together with a single digital signature. The 
advantage is that the cost of the single signature is amortized over many validity 
proofs. Unfortunately, NOVOMODO requires verification time proportional to 
the number of periods that have passed between two queries, assuming that 
the verifier caches information from previous sessions. If, however, the verifier 
does not cache such information, verification time is proportional to the number 
of intervals that have passed since the certificate’s creation. Even though hash 
functions require much less time to compute than traditional signatures, hash 
chain traversal costs may be prohibitively expensive for long chains. For example, 
benchmark tests conducted using the Crypto-|— I- library showed that SHA-1 is 
about 5000-6000 times faster than RSA-1024 signing and about 200 times faster 
than verification. On the other hand, SHA-1 is only 500-600 times faster than 
ESIGN-1023 signing and about 200 times faster than verification. See [3] for 
further details. This data suggests that while cryptographic hash functions are 
faster than signatures, long hash chains are very undesirable, especially for some 
of the faster signature schemes like ESIGN [16]. Therefore, a natural extension 
to NOVOMODO that uses Merkle trees was pointed out by Gasko et al. [4] as 
well as by Naor and Nissim [14]. This variant has the nice property that validity 
proof size is logarithmic in the total number of update periods. 

Multi-Certificate Revocation. Aiello, Lodha, and Ostrovsky [1] discovered 
a clever extension to the NOVOMODO approach which allows the CA to provide 
validity status for a group of certificate owners with a single proof. The idea is to 
form a cover set T consisting of various subsets of the set of certificate owners, 
and construct a Merkle tree or a hash chain for each element of the cover. The 
cover is constructed so that for any arbitrary subset of revoked users, there are 
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elements in the cover whose union exactly constitutes the set of non-revoked 
users. Then, at a given interval, instead of providing validity information for 
each individual certificate owner, the CA instead finds elements from T whose 
union is the set of non-revoked users. The validity proof, which consists of various 
Merkle tree or hash chain values, is published just for these elements. 

Our CONTRIBUTION; The QuasiModo Approach. We propose an alternative 
to Merkle trees which we term QuasiModo trees. QuasiModo trees have two dif- 
ferences. First, their leaves are augmented with hash chains of length 2. Second, 
rather than starting validity proofs at the leaves, as is typically done in Merkle 
trees, QuasiModo trees are carefully numbered to allow proofs to start with al- 
ternate internal nodes of the tree. The idea, while simple, does not seem to have 
appeared previously. Yet, the result is a direct improvement in both the overall 
verification complexity, as well as the communication complexity, over previous 
tree-based schemes. Moreover, validity proofs are small enough to fit within a 
single packet - so the extra communication (compared to hash chains) required 
in practice is negligible. Table 1 summarizes the results of using QuasiModo 
trees as compared to Merkle trees. QuasiModo trees are of independent interest 
and may be used to improve other schemes involving Merkle trees. For example, 
they have recently been applied to the problem of secure billing in networks [5] . 

Organization. The next section states various preliminaries. Section 3 de- 
scribes the NOVOMODO scheme and section 4 explains the QuasiModo im- 
provement to NOVOMODO. Section 5 discusses the multi-certificate revocation 
extension to NOVOMODO proposed by [1] and describes how to improve it us- 
ing QuasiModo trees. Finally, section 6 analyzes the performance of QuasiModo 
trees as compared to Merkle trees, and provides a security proof for our schemes. 



2 Preliminaries 

Model and Notation. We have a certificate authority C who issues public-key 
certificates, and two participants Alice A and Bob B. B has a public key that A 
wishes to verify. We assume the existence of an open or closed PKI where both 
C and B have public-private key pairs. Let (Sk, Pk) denote a key pair where Sk is 
the private signing key for computing the signature on a message, and Pk is the 
public verification key corresponding to Sk. Subscripts denote which keys belong 
to specific individuals. So, the key pair for C is (Pkc,Skc) and the key pair for 
B is (PkgjSke). Let VS = (KG, Sign, Vf) denote a digital signature scheme that 
is secure against existential forgery under adaptive chosen message attack [6]. 
Here KG denotes the key generation algorithm, Sign(Sk, M) denotes the signing 
algorithm which outputs a signature a on message M under signing key Sk (the 
signing algorithm may be randomized), and Vf(Pk, M, ct) € {0,1} denotes the 
verification algorithm which evaluates to 1 if the signature cr on message M is 
correct with respect to the public key Pk. We remark that KG implicitly takes as 
input a security parameter specifying the lengths of the keys it should generate. 
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Let {0, 1}* denote the set of all bit strings. Let H denote a cryptographic 
compression function that takes as input a 6-bit payload and produces a v- 
bit output. In our constructions b = 2v which can be achieved by all well- 
known compression function constructions through padding. H also utilizes a 
u-bit initialization vector or IV which we assume is fixed and publicly known. 
For simplicity, we do not view the IV as an actual hash function argument, so 
we may not always explicitly list it as an input. A practical example of such a 
cryptographic compression function is SHA-1 [15] whose output and IV size is 
20-bytes, and whose payload size is 64-bytes. In any practical instantiation of 
our schemes we will not need to operate on data larger than the compression 
function payload size; however there are numerous standard techniques such as 
iterated hashing or Merkle-trees [9] for doing so. For convenience, we use the 
term hash function instead of compression function, where it is understood that 
a hash function can take arbitrary length strings {0, 1}* and produce a fixed 
length output in {0,1}*'. The symbol H denotes such a function. We assume 
cryptographic compression functions and the hash functions built on top of them 
are one way and collision resistant (i.e., finding two distinct inputs mi yf m 2 
such that 7f(IV, mi) = 7f(IV, m 2 ) is difficult). 

For a length-preserving function / : {0,1}" ^ {0,1}" and an integer i > 
1, let /* denote its f-fold composition: P{x) = f{x) for t = 1 and /*(x) = 
/(/*“^(x)) for i > 1. We say / is a one-way function if, given f{x), where x 
is randomly chosen, it is hard to find a 2 ; such that f{z) = f{x), except with 
negligible probability. We say / is one way on its iterates if for any i, given /*(x), 
it is hard to find a 2 such that f{z) = P{x), except with negligible probability. 
In practice, one often constructs a candidate function that is one way on its 
iterates by starting with a hash function H and padding part of the payload 
to make it length preserving. Finally, for a real number r, let [r] denote the 
smallest integer greater than or equal to r. Similarly, [rj denotes the largest 
integer less than or equal to r. 



Merkle Trees. We now describe Merkle trees [9]. Suppose that we have m 
values xi,. . . , Xm, each of which is in {0, 1}". For simplicity, assume that m is 
a power of 2. Let Ti : {0, 1}^" ^ {0, 1}" be a cryptographic hash function. The 
Merkle tree associated with xi, . . . , Xm under hash function is a balanced bi- 
nary tree in which each node is associated with a specific value Value(u). There 
are m leaves, and for each leaf £j, Value(£i) = Xi,l < i < m. For an interior vertex 
V, let Co(v) and Ci(w) denote its left and right children. Let o denote the concate- 
nation operation. Then, Value(u) = 7f(IV, Value(Co(v)) o Value(Ci(?;))). Merkle 
trees may be used to digest data in digital signatures, where the signed digest 
corresponds to the value associated with the root. If the underlying compression 
function is collision resistant, then it is hard to find two different messages whose 
Merkle root value is identical [2, 8]. We will also make use of the notion of the 
co-nodes for a given vertex in a Merkle tree. For a vertex v, CoNodes(v) is the 
set of siblings of the vertices on the path from v to the root. More formally, if 
we let Sib(t!) and Parent(w) denote v’s sibling and parent respectively, then: 
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CoNodes(v) 



0 if V is the root 

{Sib(w)} y CoNodes(Parent(?;)) otherwise. 



( 1 ) 



Finally, for a set of co-nodes, we abuse notation by letting Value(CoNodes(v)) 
denote the values associated with the co-nodes of a vertex v. The analogous 
notion of co-nodes exists for any arbitrary tree. Given the values of a vertex and 
its co-nodes, we can calculate the root value of the tree. In particular, let the 
value associated with a vertex be v and let the values of its co-nodes he vi, . . . ,ve- 
Then, the root value is hi where hi = H{vovi) and hi = H{[hi-i,Vi\), 2 < i < i, 
where [hi, Vi] equals Vi o hi if Vi is a left child or hi o Vi if Vi is a right child. 



3 NOVOMODO 

We now describe the NOVOMODO scheme of Micali [10, 11, 12]. The scheme 
can be broken up into three phases: a set up phase in which the CA C issues 
a certificate to a user Bob B, an update phase in which C provides an efficient 
proof of revocation or validity, and a verification phase where a user Alice A 
determines the status of B's certificate. 

Set Up. Let / be a function that is one way on its iterates. Let T> denote tradi- 
tional certificate data (e.g., B's public key, a serial number, a string that serves 
as B's identity, an issue date, and an expiration date) . Let p denote the number 
of periods in the certificate scheme. The CA C associates with the certificate 
data T> two numbers yp and N computed as follows. C picks values yo and Aq 
at random from {0, 1}”. He sets yp = f^{yo) and N\ = f{No). We refer to yp as 
the validity target and Ni as the revocation target for reasons that will shortly 
become clear. The certificate consists of {{'D,yp,Ni),S\gn{Skc,{T>,yp,Ni))). 

Periodic Certificate Updates. The directory is updated each period (for 
example, if p = 365, then the update interval might be daily for certificates that 
are valid for one year). At period i, if the certificate is valid, then C sends out 
yp-i = /^~*(yo)- If the certificate has been revoked, C sends out Nq. 

Verifying Certificate Status. Suppose A wants to verify the status of a 
certificate at period i. We assume A performs the standard checks; e.g., the 
certificate has not expired and C’s signature on the certificate is valid. Now, if 
C claims the certificate has been revoked, then A takes the value Nq sent by C 
and checks if N\ = f{No). Note that she knows Ni since it is in the certificate. 
Similarly, if C claims the certificate has not been revoked, then A takes the value 
yp-i sent by C and checks if P{yp-i) = yp. Again, note that A knows yp. 

NOVOMODO WITH Merkle Trees. One undesirable property of NOVO- 
MODO is that the verification time is linear in the size of the interval between 
consecutive validity checks made by A assuming A always caches responses from 
previous queries. For example, if the update period is every 3 hours and certifi- 
cates are valid for a year, then A may have to make up to several thousand hash 
function calls when verifying a certificate. To address this concern, the following 
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use of Merkle trees in NOVOMODO has been suggested [1, 4, 14]. The CA C 
creates a Merkle tree with 2p leaves . . . ,£ 2 p, each of which is assigned a se- 
cret pseudorandom value, and signs the root.^ The leaves are numbered left to 
right from 1 to 2p, and at time period i, if the certificate is valid, C sends out 
Value(£2i) and Value(CoNodes(£2i))- 

4 QuasiModo Trees for Single Certificate Revocation 

Having described NOVOMODO, we describe our QuasiModo approach. At a 
high level, QuasiModo replaces the NOVOMODO Merkle trees with QuasiModo 
trees. These trees yield a performance improvement over using Merkle trees. 

QuasiModo Trees. QuasiModo trees bear some similarity to the Merkle trees 
used in NOVOMODO, except that we first append length-2 hash chains to the 
bottom of the tree, and we next carefully number every other interior vertex 
so they can be efficiently used directly in validation proofs. The power of using 
such trees is that a subset of the internal nodes can be directly utilized in the 
certificate revocation scheme and we do not always have to use the leaves as is 
done in the normal Merkle case. The upshot is a sizeable improvement in both 
the verification complexity and communication complexity. 

We start with m randomly chosen values, x\,. . . , Xm', note that these values 
can be pseudorandomly generated from a single sufficiently large random seed. 
For simplicity, suppose that m = 2^ for some integer A: > 0. We set up a tree as 
follows. The bottom layer has m vertices which are only- children (i.e., they have 
no siblings). Next, we construct a balanced binary tree of depth A: -I- 1 which 
resides on top of the bottom-level m vertices. We assign values to each of the 
vertices as follows. The bottom-level m vertices take on the values x\,...,Xm 
respectively. For the layer that is directly on top of the bottom layer, we assign 
the n-bit value f{xi) to the i*^ such vertex, where / : {0, 1}” ^ {0, 1}” is 
a one-way function. That is, if is such a vertex, then Value(£') = f{xi), for 
I < i < m. For any interior node v that is above the bottom two layers Value(u) = 
7 f(IV, Value(Co(w)) o Value(Ci(i;))). In practice, we would typically construct / 
by appropriately padding H; so, from now on, we only refer to H. 

Another way to precisely characterize the same tree is as follows. There are 
3m— 1 vertices. These are respectively: £i, . . . ,£m, £{, ■ ■ ■ ,£'nn ui, . . . 

The values are assigned as follows. Value(£j) = Xi and Value(A') = f{xi), for 
1 < A < m. Next, let A(z) = 2(z — m/2) -|- 1 and let p{i) = 2{i — m/2) + 2. For 
i G {m/2, m/2-l- 1, . . . , m— 1}, we have Value(vi) = 7f(Value(A'^|..^)o Value(£^^-^)). 
Finally, for z G (1, . . . , m/2—1}, we have Value(z;i) = 7f(Value(z;2i)oValue(z;2H-i))- 
This constitutes the assignment of values to the vertices. Now, we describe the 
directed edges. There is a directed edge from to for 1 < z < m. For i G 
|m/2, m/2-|-l, . . . , m— 1}, we have a directed edge from to Vi and a directed 
edge from to Vi. Finally, for z G {!,..., m/2 — 1}, we have a directed edge 

® Though it does not seem to have been observed previously in [1, 4, 14], the values 
i 2 i, 1 < z < p, can be made public without compromising security of the scheme. 
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from V 2 i to fi, and a directed edge from V 2 i+i to Vi. At a high level, we put a 
directed edge from a vertex it to a vertex w if Value(u) was explicitly used to 
calculate Value(w). 

Next, we apply the following two-coloring to the nodes in the tree. If a vertex 
is a left child or has no siblings (as in the case of the £i vertices), we color it grey. 
All other vertices, including the root, are colored white. Finally, the grey nodes 
are numbered breadth first (but where the edge directions are ignored). That 
is, we start at the top of the tree, and work our way down to each consecutive 
level, numbering each grey node sequentially from left to right. At first this idea 
of numbering the grey vertices may seem somewhat unnatural, but it turns out 
to be convenient since the grey vertex value is involved in the validation 
proof at period i. We refer to the grey vertex by gv(i). Figure 1 illustrates a 
QuasiModo tree that can accommodate a revocation scheme with 7 periods and 
a Merkle tree that accommodates 8 periods. 

In general, a QuasiModo tree accommodating p = 2^ — 1 periods requires 
^^ 2 ^ vertices. A Merkle tree accommodating p = 2^ periods requires 4p — 1 
vertices. A QuasiModo tree is thus approximately | — times smaller than 
the corresponding Merkle tree. Note that we may naturafly extend the notion of 
a QuasiModo tree to an ^-chained QuasiModo tree in which each internal vertex 
is replaced with a hash chain of length i. This extension provides a middle ground 
between the tradeoffs achieved from QuasiModo trees and regular hash chains. 




Fig. 1. On the left we have an 11-vertex QuasiModo tree, which can be used 
for 7 periods; the value of each interior node is the hash of the concatenation of 
the values of its children. Every grey vertex is numbered sequentially top-down 
left-to-right. On the right, we have a 31-vertex Merkle tree, which can be used 
for 8 periods. By using interior nodes and a hash chain at the end, we can get 
a more compact tree - resulting in shorter proofs, shorter verification time and 
lower communication complexity. 
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Set Up. As in NOVOMODO, let T> denote traditional certificate data. The 
CA C associates with the certificate data V two numbers yr and N\ computed 
as follows. C constructs a QuasiModo tree and sets yr to be value assigned to 
the root of that tree. He sets N\ = /{Nq) like he did for NOVOMODO. The 
certificate consists of ((P, A^i), Sign(Skc, {T>,yr, Ni)). 

Periodic Certificate Updates. The directory is updated each period. At pe- 
riod i, if the certificate is valid, C sends out (Value(gv(i)), Value(CoNodes(gv(i)))). 
If the certificate has been revoked, he sends out Ng. Note that if A received co- 
node values from previous validity checks, it is not necessary for C to send every 
value in Value(CoNodes(gv(i))). 

Verifying Certificate Status. Suppose that A wants to verify the status of 
a certificate at period i. We assume she first performs all the standard checks; 
e.g., the certificate has not expired and C’s signature is correct. Now, if C claims 
the certificate has been revoked, then A takes the value Ng sent by C and checks 
if indeed A^i = /(Aq). If C claims the certificate has not been revoked, then A 
takes the values Value(gv(i)) and Value(CoNodes(gv(i))) uses them to compute 
the QuasiModo tree root. Note that this step requires at most [log 2 ij -I- 1 hash 
computations for QuasiModo trees as opposed to [log 2 p] -I- 1 for Merkle trees. 
If the computed root matches the value yr, then the certificate is valid. Alter- 
natively, if A has already verified a certificate for a previous period j (and has 
stored the proof), and some of the vertex values associated with period i are in 
a subtree rooted at a vertex associated with the certificate for period j, then A 
only needs to use the co-nodes to compute up to that subtree root. 



5 QuasiModo Trees for Multi-certificate Revocation 

We now propose the use of QuasiModo trees to improve a scheme of Aiello, 
Lodha, and Ostrovsky (ALO) [1]. We first describe the generalized scheme, and 
then give examples of how to instantiate it. To describe the scheme, we must 
consider the notion of a complement cover family. Let U denote the universe; 
in our setting, it will be the set of all certificate holders (regardless of whether 
the certificate has been prematurely revoked). Let i? C {7; in our setting, R will 
denote the set of certificate holders whose certificates have been revoked prior 
to expiration. Let R = U — R. That is, R will be the set of certificate holders 
whose certificates are currently not revoked. Now, let 5 be a set whose elements 
are subsets of U. We say that 5 is a complement cover of R if Uvve5 “ 
can extend this notion to the universe as follows. Let IF be a set whose elements 
are subsets of U. We say that IF is a complement cover family of U if and only if, 
for every subset R oiU , T contains a complement cover of R. That is, for every 
subset R oiU , there is a subset S oi T such that 5 is a complement cover of R. 
The set of all singletons is a simple example of a complement cover family. That 
is, T = {{mi}, . . . , {ma}} where U = {u\, . . . ,ua}- Indeed, it is very easy to see 
that the singleton cover must be contained in any complement cover family for 
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the universe U. At another extreme, the power set, or set of all subsets of a set, 
is also trivially seen to be a complement cover family. 

At a high level in the ALO [1] scheme, the CA first constructs a complement 
cover family for the universe of certificate holders. Next, he assigns a Merkle 
tree to each element of the complement cover family. For a given certificate 
owner B, let T{B) denote the set of elements of T to which the user belongs. 
The validation targets the CA incorporates, in its user certificate, are the roots 
of the Merkle trees corresponding to the elements of T(B>). Now, to provide a 
validation proof at period i for a group of users, the CA first determines the set of 
revoked users i?. Then, he computes the complement cover of i? contained in T 
- call it S. Note that such a complement cover S exists since IF is a complement 
cover family for the universe U . The CA produces the leaf and its co-nodes 
in the associated Merkle tree for each element of S. To check the validity of B's 
certificate in period i, a verifier A checks that the CA has revealed the leaf 
for at least one element of S in T(B>). We can replace these Merkle trees with 
QuasiModo trees, and we now describe how to do so. 

Set Up. Let U denote the universe of all certificate holders. Then the CA C 
constructs a complement cover family T . Let p denote the number of periods. 
For each element of IF, the CA C constructs an independent QuasiModo tree 
that allows for p periods. We let V denote traditional certificate data. The CA 
C associates with the certificate data T) a set of validation targets and a single 
revocation target as follows. C picks a value Nq at random from {0, 1}”. He sets 
7Vi = /(Aq) - where N\ represents the revocation target. C constructs a set of 
validity targets for the certificate owner B as follows. He computes T(B\ which 
is the set consisting of elements of T for which ,8 is a member. Suppose that there 
are k elements of 1F(8) - call them Ti,. . . ,!Fk.. Let ri, . . . denote the values 

of the roots of the QuasiModo trees associated with The certificate 

consists of ((F>, n, . . . , Tk, Ai), Sign(Skc, (I?, ri, . . . , r«;, Ai))). We remark that 
for specific complement cover constructions, one can reduce the number of root 
values Ti that are included in the augmented certificate data. 

Periodic Certificate Updates. The directory is updated each period. At 
period i, if a given certificate is revoked, then C sends out the pre-image of the 
revocation target (i.e., the value Ag value associated with each certificate); if the 
certificate is valid, then C does the following. It first determines the set R of re- 
voked holders. It computes the element S £ T such that 5 is a complement cover 
for R. For each element of 5, C sends out the value Value(gv(f)) associated with 
the tree corresponding to that element, together with Value(CoNodes(gv(i))). 

Verifying Certificate Status. Suppose that A wants to check the status 
of 8’s certificate at period i. She first checks the expiration date and that the 
signature by the CA C is valid. If C claims the certificate has been revoked, 
then A takes the value Ag sent by C and checks if indeed Ai = /(Ag). If C 
claims the certificate has not been revoked, then A takes the values Value(gv(z)) 
and Value(CoNodes(gv(f))) associated with the element of the complement cover 
that is in T{B). A computes the QuasiModo tree root value. If the computed 
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root value matches one contained in the certificate, then the certificate is valid. 
Alternatively, if A has already verified a certificate for a previous period j (and 
has stored the relevant verification information), and a vertex associated with 
the proof in period i is in a subtree rooted at a vertex associated with the 
certificate for period j, then A only needs to use the co-nodes to compute up to 
that subtree root. 

Binary Tree Hierarchy. For completeness, we review a specific complement 
cover family construction known as the binary tree hierarchy. Assume, for sim- 
plicity, that the number of certificate holders is 2^ for some integer k > 0. We 
create a binary tree with 2^ leaves and assign to every vertex a subset of the 
universe of certificate holders. At each leaf, we assign the singleton set corre- 
sponding to a single certificate holder. At each internal node, we assign the 
subset corresponding to the union of the subsets of the nodes of its children. 
The complement cover family T consists of the sets assigned to all the vertices. 
It is clear that T forms a complement cover family; the following steps yield a 
minimal-size complement cover of any subset R CU: 

1. “Mark” every leaf vertex corresponding to an element of R; 

2. “Mark” every interior vertex on the path from the marked leaf to the root; 

3. Determine the non-marked vertices whose parents are marked; 

4. Consider the subsets associated with these vertices. 

6 Performance and Security Analysis 

Our QuasiModo single-certificate and multi-certificate revocation systems are 
quite efficient in terms of both computation and communication. We compare 
the performance to their Merkle tree analogues. Our analysis applies to both 
single-certificate revocation as in NOVOMODO and multi-certificate revocation 
as in ALO [1]. Table 1 summarizes the results. 

Complexity Without Caching. Suppose we have p periods where p = 2^ — 1 
for some integer fc > 0. To refresh a certificate at period pt, C sends Value(gv(pt)) 
and Value(CoNodes(gv(pt)))- The number of co-nodes to be sent is equal to the 
depth of this vertex which is Llog2(pt)J + 1- Therefore, the total proof size is 
[log 2 (pt)J + 2 since we need to send the value at vertex pt itself as part of the 
proof. To verify, the receiver computes at most log 2 (pt) -I- 1 hashes, assuming 
he has not cached any previous values; if he has saved some information from 
a previous period, then the number of hashes is smaller. In particular, if the 
verifier caches the value of a vertex at level L of the QuasiModo tree on the path 
from grey vertex pt to the root, then he need only compute [logptj — L hashes. 

For the tree-based version of NovoModo suggested by [4, 14], there are 2p 
leaves, and hence a binary tree of depth log 2 P -I- 1. However, since this scheme 
only uses the leaves, the proof size at period pt is always [log 2 p~\ + 2 and the 
number of hashes to verify the proof is always [log 2 p] -I- 1. However, since pt < P, 
we have that [log 2 pt\ < riog 2 P^ ■ So, the QuasiModo scheme provides a strict 
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improvement. Not only are fewer hash function computations required, but also 
fewer cache look-ups are required to retrieve proof vertex values. 

Complexity With Caching. We compare the bandwidth consumption of 
QuasiModo tree schemes with Merkle tree schemes assuming that the veri- 
fier checks the certificate status at each update period and caches all received 
results.^ For p = 2^ — 1 periods the corresponding QuasiModo tree has 
vertices; so the total number of proof node values transmitted is since the 
root is not counted. For p transactions, the amortized proof size is § — ^ hash 
values per transaction, and assuming caching C always sends exactly 2 values 
for non-leaf vertices and 1 value for leaf vertices. For a Merkle-tree with p = 2^ 
periods, there are 4p — 1 vertices {2p leaves and 2p — 1 internal nodes). Again, 
ignoring the root value, the total number of proof node values transmitted is 
Ap — 2. Thus, the amortized proof size of p transactions is 4 — Therefore, the 
improvement factor is | — gj^_^ which approaches 2| as p gets large. In practice, 
however, the effects may be more pronounced since the proof sizes in the Merkle 
setting will vary with each iteration - going up to [log 2 p] -I- 1 hash values - 
whereas for QuasiModo trees the size will always be one or two hash values. 
This variance exhibited by Merkle trees may create performance issues. 

We now compare the time complexity of verifying QuasiModo proofs versus 
Merkle-tree proofs. For p periods, the amortized proof size in a QuasiModo tree is 
I — ^ , and we only require p total calls to a cryptographic compression function 
for verification at each step assuming that these values fit in the compression 
function payload, which is the case for practical examples such as SHA-1 [15]. 
For a Merkle tree the total number of compression-function calls during proof 
verification is equal to the number of internal (non-leaf) vertices since each 
internal vertex results from a single compression function call applied to the 
concatenation of the values associated with its children. Therefore, the number 
of total compression function calls is 2p — 1. Consequently, the improvement 
factor from using QuasiModo trees is 2 — i which approaches 2 as p gets large. 

A potential drawback of the QuasiModo approach is that achieving constant- 
time verification requires the verifier to cache many of the values it receives. In 
the worst case, for a QuasiModo tree with p periods, the verifier may have to 
cache up to vertex values (corresponding to the values of the vertices one 
level from the bottom). This might not be a problem for reasonable parameter 
values. For example, suppose that a given verifier deals with 100 certificates 
concurrently, each of which permits 1023 periods (approximately a six-month 
certificate with update periods every four hours). Then, in the worse case, he 
needs to keep track of (100- hash values, which requires under a megabyte 

of storage assuming we use the SHA-1 hash function with a full 20-byte tag. 

^ In practice there are likely to be many gaps in certificate status checks, but we 
examine this always-check always-cache case since it lends itself to a cleaner analysis. 
This portion of the analysis does not apply to our multi-certificate revocation scheme 
becanse there may always be gaps. Note, however, that our tree-based constructions 
are especially advantageons when there are gaps between checks. 
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Hash Chains Versus Hash Trees. In a chain-based approach the computa- 
tion cost may be high since it is linear in the gap size between two verification 
steps. Trees reduce this to a logarithmic cost. Of course, we make the very rea- 
sonable assumption that roughly 0{logp) processor cache look-ups require less 
time than 0{p) cryptographic hash function computations. Alternatively, Quasi- 
Modo proofs may potentially be short enough to be loaded directly into data 
registers when reading the incoming proof packet from the CA C. However, one 
ostensible reason to prefer hash chains is that the proof size is smaller - involving 
the transmission of just a single hash function value. While the communication 
requirements of chains, in theory, are smaller, this may not translate into an 
actual performance improvement in practice since transmission time is typically 
proportional to the number of packets sent (assuming that they are reasonably 
sized) rather than the number of bits sent. The average TCP packet, for ex- 
ample, holds a payload on the order of 536 bytes (after removing 20-bytes each 
for the TCP and IP packet headers) and TCP packet sizes up to approximately 
1500 bytes (the maximum ethernet packet size) are reasonable - especially if we 
perform path maximum transmission unit detection to prevent fragmentation. 
With packet sizes that are much larger than 20 bytes, we may find room for a 
few extra hash values without requiring the transmission of any extra packets. In 
particular we can fit 26 hash values (resp. 70-1- hash values) in an average sized 
(resp. larger sized) TCP packet with room to spare. These values would permit 
over 16 million (resp. 256 quintillion = 256 x 10^®) intervals - far more than 
we may ever require in any practical application. So, in all practical instances, 
QuasiModo proofs, like NovoModo proofs, would fit into a single packet. Yet, 
QuasiModo proofs take far less time to verify. 



Metric 


QuasiModo trees 


Merkle trees 


Tree Size 


3p+l 

2 


4p — 1 


Proof Size (NC) 


Llog2(p-r)J +2 


[log2 p1 + 2 


Verification Time (NC) 


[log2(p- »')] + 1 


[log2 P1 + 1 


Amortized Proof Size (C) 


3 1 

2 2p 


4-2 


Amortized Verification Time (C) 


1 


2-i 


Max. Proof Size (C) 


2 


[log2 p1 + 2 


Max. Proof Verification Time (C) 


1 


(log 2 p 1 -f 1 


Min. Proof Size (C) 


1 


2 


Min. Proof Verification Time (C) 


1 


1 



Table 1. Comparing QuasiModo trees to Merkle trees for p periods. Here r 
denotes the number of periods remaining. Sizes are measured with respect to 
hash function output size (e.g., 20-bytes). Running times are measured in terms 
of the number of hash computations. Here (C) denotes that the verifier performs 
validation checks at each interval and caches all values it receives from the CA. 
We use (NC) when the verifier does not cache at all, but does check at each 
interval. 
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Security Analysis. Since a QuasiModo tree is essentially a type of hash tree, 
it is very straightforward to see the security of our scheme. For completeness, 
however, we sketch the proof of the following security theorem. 

Theorem 1. Assuming that Ti. is a one-way collision-resistant hash function 
and that VS is a secure signature scheme, neither a proof of revocation nor a 
proof of validity can he forged. 

Proof. (Sketch) We first consider the slightly more involved case of the validity 
proof. First observe that assuming the security of VS, no adversary can forge the 
certificate, except with negligible probability. Therefore, an adversary must use 
an existing certificate and come up with proof of validity that hashes to at least 
one validity target. Suppose that t update periods have already passed, and an 
adversary is trying to forge a validity proof for update period t-\- A. Denote the 
adversary’s spurious validity proof by Value^(gv(t + Z\)), Value^(CoNodes(gv(t + 
Z\))), where Value'(gv(t + Z\)), and Value'(CoNodes(gv(t + Z\))) denote spurious 
values for the co-nodes in the CA’s QuasiModo tree. Let r denote the root of the 
tree, which is already known to a verifier since it is part of the certificate. For a 
verifier to accept the proof, the spurious values must hash to r. For notational 
simplicity, let v = Value'(gv(t -|- Z\)) and let r(, . . .r'^ denote the values of the 
co-nodes ordered along the siblings of the vertices on the path from the vertex to 
the root. First note that if i is greater than the depth of the original tree, then 
the expiration period would be reached (it would also imply that the adversary 
inverted at a random point, which we assume to be infeasible, except with 
negligible probability). So, let us suppose £ is bounded by the depth of the 
original tree. Now, let ri , . . . , denote the actual values corresponding to what 
the CA generated in the actual QuasiModo tree. If for all z G {!,..., £}, it holds 
that Vi = r'j^, then it follows that the adversary correctly computed a pre-image of 
Ti. since the CA never revealed all the r^. This event only happens with negligible 
probability since is a one-way collision-resistant cryptographic hash function. 

So, suppose that the and r' are not all equal; we show how to construct a 
hash function collision. Because the r' verifiably hash to the root, it follows that 
the root value can be calculated as h'g where h\ = 7f(Value'(gv(t -|- Z\))) o r(), 
and h[ = 7f([/i'_^, r']) for z G Likewise, the same root value can be 

calculated as hi where hi = (Value(gv(t -|- Z\))) o n) and hi = Ti{[hi-i,ri\) . 
Because both calculations yield the same committed root value, it follows that 
hi = Value(r) = h'^. Now since the Vi and r'i are distinct, but hi = h'g, there 
must be some index j G {1, . . . , ^} for which /i' = hj, but (hj-i,rj) (/i'_]^, r' ). 
In that case, /i' = 7f([/i'_;^, r']) = 'H{[hj-i,rj\) = hj, which is a collision since 
the inputs to Ti are distinct. We have therefore violated the collision-resistance 
property of Ti, which can only happen with negligible probability. 

We now consider the revocation target. A forgery yields a pre-image of the 
revocation target. Since the CA constructed the revocation target by applying 
Ti to a random value, that means the adversary can invert Ti at a random point, 
which happens with negligible probability by the one-wayness of Ti. 
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Abstract. The Public Key Infrastructure (PKI) technology is very im- 
portant to support secure global electronic commerce and digital com- 
munications on networks. The Online Certificate Status Protoeol (OCSP) 
is the standard protocol for retrieving certificate revocation information 
in PKI. To minimize the damages caused by OCSP responder’s private 
key exposure, a distributed OCSP composed of multiple responders is 
needed. This paper presents a new distributed OCSP with a single public 
key by using key-insulated signature seheme [6]. In proposed distributed 
OCSP, each responder has the different private key, but corresponding 
public key remains fixed, so the client simply obtains and stores one 
certificate and can verify any responses by using a single public key. 



Keywords: Public Key Infrastructure, Certificate Revocation, Online Certifi- 
cate Status Protocol, Distributed OCSP, Key-Insulated Signature Scheme 

1 Introduction 

1.1 Background and Motivation 

Recently, the Internet has been spread all over the world and it has used to 
be an infrastructure of electronic commerce. However a lot of threats exist on 
networks, for example wiretapping, alteration of data, and impersonation. It is 
important to support secure digital transactions and communications throughout 
existing networks. Confidentiality, integrity, authentication, and non-repudiation 
are all security requirements to prevent these threats. These requirements can be 
supported by a variety of different key management architectures. One of these 
architectures is a Public Key Infrastructure (PKI). A PKI is the basis of security 
infrastructure whose services are implemented and provided using public key 
techniques. Most of the protocols for secure e-mail, web service, virtual private 
networks, and authentication systems make use of PKIs. 
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In a PKI, a trusted third party called Certification Authority (CA) issues 
a certificate digitally signed by using its private signing key. A certificate is 
used to bind an entity’s identity information with the corresponding public key. 
Nevertheless, certificates are revoked in case of breaking that binding before 
its expiration date. If user’s private key is compromised or the user’s personal 
information is changed, the user makes a request to the CA for revoking own 
certificate. The CA is the ultimate owner of certificate status and has the re- 
sponsibility of publishing to the users that the certificate has been invalid. Thus, 
users do not simply check the expiration data on the certificate, but also check 
whether the certificate has been revoked or not. The validation of certificates 
status information is the current issues in PKI. 

A certificate revocation can be implemented in several ways. The most well- 
known method is to periodically publish a Certificate Revocation List (CRL) 
[9,7]. A CRL is a digitally signed list of revoked certificates and usually issued 
by a CA for the certificates it manages. In case of validating user’s certificate, the 
verifier obtains the CRL stored in repository and should verify its validity and 
CA’s digital signature. And the verifier should confirm whether user’s certificate 
is contained in the CRL or not. The main advantage of the CRL systems is its 
simplicity, however, there are several problems pointed out [1,23]. Especially, the 
main disadvantage of the CRL systems is its high communication costs between 
the user and the repository stored on CRLs. It is said that a certificate revocation 
rate around 10 percent per year is reasonable [20]. Therefore, the size of CRL 
will be quite long if the CA has many clients. That is, the validation performance 
is likely to be slow, since the verifier has to download the CRLs from each CA 
(or CA’s repository) in a certification chain and verify each CRLs. This fact is 
critical problem if the client is the mobile terminal with restricted processing 
capacities, memory limitations, and network bandwidth. In order to reduce the 
size of CRLs, several modifications have been suggested. Delta CRL [9] is small 
CRL that includes information about the certificates that have been revoked 
since the issuance of a complete revocation list called Base CRL. And CRL 
Distribution Points was defined in [9] . CRL Distribution Points allow revocation 
information within a single domain to be divided into the multiple CRLs. 

In order to reduce the communication costs, there are some alternative meth- 
ods to CRL-based systems. The Certificate Revocation Tree (CRT) was proposed 
by Kocher [12]. CRTs are based on Merkle Hash Trees [14], in which the tree 
itself represents all certificate revocation information. Naor and Nissim proposed 
the Authenticated Directory [19], which improves the reduction in communica- 
tion cost by balancing the hash tree. They introduced using a 2-3 tree, in which 
every node has two or three children. In [10,11], the binary hash tree is extended 
to fc-ary hash tree in which any node has at most k children. Micali proposed 
the revocation system using hash chains [15,16], taking into account both user’s 
and CA’s efficiency. 

If the client needs very timely information of certificate status, an online 
certificate status service is required. The standard online revocation system is 
the Online Certificate Status Protocol (OCSP) defined in [18]. The OCSP pro- 
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vide the up-to-date response to certificate status queries and enable to reduce 
the communication costs in comparison with the CRL, because the client only 
request to return the status of certificate instead of obtaining the CRLs. The 
certificate status is returned by a trusted entity referred to as an OCSP respon- 
der. The response indicates the status of the certificate returning the value good, 
revoked, and unknown. Additionally, the OCSP responder signs each response 
it produces by using its private key. The CRL is published the data on all of 
revoked certificates, for example those data are issuer’s name and its serial num- 
ber. Since any client can obtain the CRL, this fact will be leading the privacy 
concerns. On the other hand, the OCSP responder simply returns the status 
of requested certificate and does not expose information about all revoked cer- 
tificates. In mobile environment, the method of using the OCSP appears to be 
a good choice, because the client can retrieve timely certificate’s status with a 
moderate resource usage. As the online protocol that are more extensive than 
OCSP, several mechanisms that build and validate certification path instead of 
end users are suggested [13,22]. This paper only focuses on the certificate status 
checking mechanism. 

In OCSP, the communication costs will be reduced, however, it substantially 
increases computation costs since a digital signature is a computationally com- 
plex operation. Consequently, it becomes highly vulnerable to denial- of-service 
(DoS) attacks, if the responder is centralized [16]. Another threat is the leakage 
of responder’s private key. In case of compromising responder’s private key, the 
attacker can generate the forged response that the revoked certificate is valid. 
As well as CA’s private key, responder’s private key exposures affect the serious 
impact for the client. So the countermeasure against those threats is important 
to provide the online certificate status service securely. 



1.2 Related Work 

To reduce the risk of DoS attacks, OCSP responders may pre-produce signed 
responses specifying the status of certificates at a specified time [18]. However, 
the use of pre-produced responses allows replay attacks in which an old response 
is replayed prior to its expiration date but after the certificate has been revoked. 
To avoid the replay attacks, the responder needs to generate pre-produced re- 
sponses within a short period of time. But this consumes a lot of processing and 
this fact causes DoS attacks. In [17], the modification over OCSP using hash 
chain is suggested to reduce the computational load of the OCSP responder. 

As well as CA’s private keys, responder’s private key must be stored very 
carefully. There are some approaches to protect the private key from attackers. 
A Hardware Security Module (HSM) may reduce the risk of key compromise. 
An attacker requires penetration or theft of the HSM to retrieve responder’s pri- 
vate key. To evaluate the security of HSM objectively, the security requirements 
for cryptographic modules are specified in [21]. Another approach is to man- 
age a share of responder’s private key on different servers by using a threshold 
cryptography [4]. A proactive signature [3] is the enhanced threshold solution 
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by periodic refreshment of shares. These approaches can be effective, but key 
exposures caused by operation mistakes appear to be unavoidable. 



1.3 Our Contributions 

As mentioned above, it is difficult to avoid all of threats completely. If the OCSP 
responder is centralized, the entire system is affected by DoS attacks and com- 
promising responder’s private key. That is, the entire service is not available in 
those cases. Therefore, minimizing damages caused by responder’s private key 
exposure and DoS attacks is extremely important to employ the OCSP system. 

A distributed OCSP (D-OCSP) model composed of multiple responders mit- 
igates these damages. In case that each responder has the same private key, 
compromising any responder compromises the entire system [16]. On the other 
hand, if each responder has the different private key, compromising a respon- 
der cannot affect the others. Hence, this paper examines the D-OCSP that each 
responder has the different private key. In the general D-OCSP model, the CA 
issues each responder’s certificate. However, the client’s load becomes heavy in 
this model. Every time clients receive the response from the responder, they need 
to obtain responder’s certificate. Moreover, when clients utilize the different re- 
sponder, they need to get its certificate. 

This paper presents a new D-OCSP with a single public key by using key- 
insulated signature scheme (KIS) based on the difficulty of the discrete logarithm 
problem [6] . The KIS is one of the methods for mitigating the damage caused by 
private key exposures. Using a KIS-enabled responder, compromise of respon- 
der’s private key only affects at short time period. We focus on the property that 
all signatures can be verified by using fixed public key in KIS. This paper takes 
a different approach from KIS-enabled responder. The multiple private keys are 
generated using key update algorithm in KIS and assigned to the separate re- 
sponders, respectively. Thus each responder has the different private key, but 
corresponding public key remains fixed and the client can verify any responses 
by using a single public key. Once the client obtained responder’s certificate, she 
simply stores it and can utilize during its validity. Thereby, communication costs 
are more efficient in comparison with the general model. In our model, the client 
needs to check the validation of responder’s private key as well as the traditional 
certificate. Our proposed D-OCSP applies the Micali’s revocation system [16] 
and the client checks the validation of responder’s private key efficiently than 
using like the CRT. 

The rest of this paper is organized as follows. In Section 2, we explain the 
traditional D-OCSP, in which the CA issues responder’s certificate with a short 
life-time, and discuss the problems of traditional D-OCSP. In Section 3, we 
describe the proposed D-OCSP, including the validation of responder’s private 
key and decentralizing processes of responders. Section 4 details the viewpoints 
of security and performance of our D-OCSP. Concluding remarks are made in 
Section 5. 
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2 Distributed OCSP 

2.1 Model 

In a distributed OCSP (D-OCSP), there are three entities, as shown in Figl. 

1. Certification Authority (CA) 

A Certification Authority (CA) is a trusted third party that has the respon- 
sibility of publishing the certificate revocation information. Compromise of 
CA’s private key will have disastrous for the entire system, so the CA is 
isolated form the Internet in order to avoid unauthorized accesses. 

2. Responders 

A responder is a trusted entity that sends the certificate status information 
to clients. 

3. Clients 

Clients trust the CA’s public key certificate and request the certificate status 
information to responders. 

In this section, we explain the general D-OCSP model using responder’s cer- 
tificates. If each responder has the same private key, the compromising of any 
responder compromises the entire system [16]. Thus, we examine the D-OCSP 
that each responder has the different key-pair {PKi, SKi). The CA issues each 
responder’s public key certificate digitally signed by its own private key. As well 
as the traditional public key certificate, the client needs to check revocation 
information of responder’s certificates. There are some ways of checking those 
information [7]. The simplest method is to use the CRL issued by CA. Another 
way is to use the responder’s certificate with a short lifetime. Using short-lived 
certificates, clients don’t have to check the validation of responder’s certificate. 
In this way, D-OCSP composed of n-responders is shown in Figure I. 




Client 



CA’s 

certificate 





Fig. 1. A Distributed OCSP Model 
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2.2 Verification Processes 

In case that the client receives the response from responder i, she should verify 
that response as follows. 

1. The client obtains the certificate of responder’s by online or offline. 

2. The client verifies the digital signature contained responder’s certificate by 
using CA’s public key. 

3. The client verifies the digital signature contained the response by using re- 
sponder’s public key. 



(Problems) 

1. Client Efficiency 

Every time the client receives the response, she should obtain the respon- 
der’s certificates, since responder’s certificate should be updated frequently. 
Therefore, the communication costs between the client and responders are 
not efficient. Even if the CA issues the long-lived responder’s certificate, the 
client needs to download the different responder’s certificate in case of re- 
ceiving responses sent by the different responder. So the memory space of 
the client will be increasing. 

2. CA Efficiency 

The CA needs to issue responder’s certificates frequently. Thereby, the CA 
needs to produce a digital signature and the computational costs are increas- 
ing. 

3 Proposed Method 

This paper proposes a new D-OCSP with a single public key. In detail, we 
use a key-insulated signature scheme (KIS) [6] and responder’s private keys are 
generated at once. And the client can verify any responses by using a single 
public key. Before suggesting the decentralization method, we explain the KIS 
in detail. 

A lot of the digital signature schemes have been proposed, but they provide 
no security guarantees in case of private key exposures. To minimize the damage 
caused by the leakage of private keys, the notion of key-insulated security was 
introduced in [5] and a KIS is formalized in [6]. As in a standard signature 
scheme, the user begins by registering a single public key that remains fixed for 
the lifetime of the protocol, while the corresponding private key can be changed 
frequently. A master secret key is stored on physically secure device. The lifetime 
of the protocol is divided into distinct periods 1, At the beginning of period 
i, the user interacts with the secure device to derive a temporary private key SKi. 
Even if SKi is exposed, an attacker cannot forge signatures for any other time 
periods. Moreover, in a strong (t, V)-key-insulated scheme, an attacker cannot 
forge signature for any of remaining N — t periods even if she obtains the private 
keys for up to t periods. Using a KIS-enabled responder, responses are signed 
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using responder’s private key SKi at time period i. In that case, the attacker 
can forge the responses only during period i, if SKi is compromised. That is, 
compromise of responder’s private key only affects those responses at the point 
of compromise. 

We focus on the property that all signatures can be verified by using fixed 
public key. This paper takes a different approach from KIS-enabled responder. 
Suppose the total number of responders is n in our D-OCSP, n private keys are 
generated using key update algorithm in KIS and assigned to the separate n 
responders, respectively. Thus each responder has the different private key, but 
corresponding public key remains fixed. Thus, verifiers can verify responses sent 
by any responders using a single public key. The details of these processes are 
described in Section 3.2. 

Besides a key-insulated model, alternate approaches have been proposed. The 
first such example is a, forward- secure signature scheme (FSS) [2]. This scheme 
can prevent compromise of private keys at the previous time periods, even if an 
attacker exposes the current private key. However, once the attacker exposes the 
current private key, she can easily derive the private keys of the future periods. 
Like a proposed model, a D-OCSP model using FSS has the advantage that 
the client can verify any responses using a single public key, but this model 
cannot minimize the impact caused by compromising responder’s private keys. 
Another approach is a intrusion-resilient signature scheme (IRS) proposed in 
[8] . This scheme adds key-insulation to a proactive refresh capability which may 
be performed more frequently than key updates. IRS can be tolerant multiple 
corruptions of both the user and the physically secure device. Any signatures are 
secure if both of devices are compromised, as long as the compromises are not 
simultaneous. Compared to FSS and KIS, IRS has a high security. In our method, 
however, a master secret key stored on physically secure device is only used 
during private key generations. Thus master key is deleted after that generations 
are finished. Taking into account the computation costs, this paper examines the 
decentralizing method of CA using KIS. 



3.1 Validation of Responder’s Private Key 

In this section, we examine the validation method of responder’s private key. The 
client needs to check that a responder’s certificate has not been revoked. There 
are some ways of checking those information [7]. The simplest method is that the 
client checks the offline verification using like a CRL issued by the CA. While, the 
CA may choose not to specify any method of revocation checking for responder’s 
certificate. In that case, responder’s certificate with a very short lifetime should 
be issued. In the traditional D-OCSP mentioned in Section 2, the client doesn’t 
have to check the validation of responder’s certificate. However, the D-OCSP 
using responder’s certificate with a short lifetime has disadvantages. The first 
problem is that communication costs are inefficient, since the client should obtain 
the responder’s certificate in case of receiving the response. Moreover, CA’s 
computational costs become high because of updating responder’s certificate 
frequently. 
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In our model, each responder has the different private key, but correspond- 
ing public key remains fixed. As well as the traditional model, if this private 
key is compromised, this private key needs to be revoked and the CA publishes 
all user that this private key is invalid. We utilize Micali’s revocation system 
proposed in [16]. Micali’s revocation system uses the hash-chain and is efficient 
as to computational costs. Our model uses a one-way hash function H satisfying 
the following properties, as well as Micali’s system. 

(One-way hash function) 

1. i/ is at least 10,000 faster to compute than a digital signature scheme. 

2. H produces 20-byte outputs. 

3. H is hard to invert, given Y, finding X such that H{X) = Y is practically 
impossible. 



(Issuance of Responder’s Certificate) 



1. Let T be the total number of time-periods. For example, T is 365 if each 
responder’s certificate expires 365 days after issuance. The CA produces T 
hash value using H as follows. 

^ ^ h h 

u\'j' — > ^ -^T— 2 — ^ ' ' ' — ^ ^1 



Let n be the total number of responders. The CA repeatedly produces n 
hash-chain as different input value Xt^i denotes the hash value at time 
priod t for validation of responder j. These hash values are stored on the 
CA. 

h Tr h h 

A-T,1 ^T-1,1 ^ ^T-2,1 ^ ^ 

V ^ V ^ h ^ 

At, 2 — At— 1,2 — At— 2,2 — > • • • — > Ai,2 



At,7 



At-1 



Xt-2 



Xu 



2. The CA issues responder’s certificate Cres by using own private key. SN is 
the serial number of certificate and V represents the validity period. / and 
S denote issuer and subject of certificate, respectively. 



Cres = SigSK (PKres, S N, I , S,V, X^^^, X^^„) 



(Validation of Responder’s Private Key) 

1. The CA delivers the hash value Aj ^ to responder i, if responder i’s private 
key SKi is valid at t period. 

2. When responder i returns the response to the client at period t, she also 
delivers the hash value Aj ^ to the client. 

{i,t,Xt,i,R, SigsK (R)) 
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SK, 



SK 



n 



Fig. 2. Proposed D-OCSP 



3. When the client receives the response by responder z, she verifies the digital 
signature by using responder’s public key PKres- Then the client can check 
the validation of responder’s private key using hash value W,i and Xi^i 
contained responder’s certificate. In detail, the client checks the following 
equation. If that equation is satisfied, the client can certify that SKi is 
valid. 

Xi,, = 

In this way, the client can verify the validation of the responder’s private 
key. The responder’s certificate is not revoked during its validity unless all of 
responder’s private keys are revoked. 

3.2 Decentralizing Method of Responder 

We describe the decentralizing process using KIS based on the difficulty of dis- 
crete logarithm problem [6]. Let i?i, ..., be responders in our model. Using the 
following processes, a D-OCSP composed of i?i, is constructed (Figure2). 

Stepl: generation of responder’s private keys 

1. Key pair generation 

Let p and q be prime numbers such that p = 2q+\ and let (/, /i be a element 
of order q in the group Zp. A responder’s public key PKres is generated by 
choosing x, y Gr Zq and setting v = g^h^. SK* denotes the master key to be 
used generating of responder’s private keys. During the generation processes, 
SK* is stored on the CA. 

xl,y*o,-,x*,y* ^ Zq 

V* = g^^hy* 

SK* = {xl,yl,...,x*t,y*t) 

PKres = {g,h,VQ,...,Vt) 
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2. Responder’s private key generation 

A partial key SK[ is generated as follows. SK[ is used to derive RiS private 
key. 

SK' = {xr,y[) 

By using partial keys derived above, n private keys are generated. Once all 
private keys is derived, SK[ and SK* are deleted. 

Xi = Xi-l + X- 
y* = y,-i+y[ 

SKi = (xi,y^) 

The CA delivers the private key SKi to Ri securely. Thus, each responder 
has the different private key. 

3. Issuance of responder’s certificate 

As mentioned section 3.1, the CA issues the responder’s certificate Ores as 
follows. 

Cres = SigSK {PKres.SN, 7, S, C, ..., Aq") 

Step2: Signature and verification algorithm 

1. Signature algorithm 

When Ri returns the response M to the client, she generates a digital sig- 
nature {i, {w, a, b)) by using SKi as follows. 

ri,T2 ^ Zq 

T = H{i, M, w) 
a = ri — TXi 
b = r2- ryi 

2. Verification algorithm 

The client can verify Rfs signature by using PK^es as follows. 



Vi = nLoK*)* 

T = H{i, M, w) 
w = g°‘h^vj 



4 Evaluations 

1. Security 

Suppose that an attacker steals Rfs private key SKi and hash value XI at 
time period t. In this case, she cannot derive any other responder’s private 
keys unless she obtain SK* {SK* is deleted after generating responder’s 
private keys). And if an attacker can get the hash value XI, she cannot 
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derive the hash value Xt+i,i{H{Xt+i,i) = Xt,i) because H is a, one-way 
function. Therefore, an attacker cannot cheat that SKi is valid after period 
t-|- 1 and our model can minimize the damage caused by responder’s private 
key exposures. 

2. Communication costs 

In the traditional D-OCSP, the client should get the responder’s certificate 
in case of receiving the response from the responder. On the other hand, 
our model can mitigate the communication costs, because the responder’s 
certificate is only one. The client stores responder’s certificate and need not 
to obtain it by online or offline during the certificate’s validity. 

3. Validation of responders 

In our model, validation of responder’s private key is performed by using 
hash-chain, without using CRL. As mentioned above, hash computation is 
much faster than digital signature computations. In case of checking the 
status of responder’s certificate, the client just computes t-times hash com- 
putations. 

4. CA Efficiency 

The CA should store the hash value securely. The total size of those value 
amounts 20nT-bytes. However, the CA does not have to store all hash val- 
ues and only store Xi^i (20n-bytes), since hash computations is very fast. 
At period t, Xt^i is derived hy T — t times hash computations. In the tradi- 
tional D-OCSP, the CA should issue the responder’s certificate with a short 
lifetime. In our model, the CA can issue long-lived responder’s certificate, 
because the client can validate the responder’s private key. Thus our model 
is more efficient than traditional model. 

Table 1 shows the comparison between our model using KIS and the tradi- 
tional D-OCSP using DSA. As the comparison items, we consider the total size of 
responses, the verification cost of the client (validation of responder’s certificate 
and verification cost), and signing cost of responder. Let size{Cres) be the size 
of responder’s certificate. (For example, the size of traditional public key certifi- 
cate is about 800-byte.) Let q,t be the parameter of digital signature scheme. 
We consider that q = 160 and t fa n. The computational cost is represented 
as the number of multiplications over Zp or Zg. Let EX^ be the number of 
multiplications required to compute an exponentiation. In our method, compu- 
tational cost is less efficient than traditional D-OCSP, but the client may verify 
any responses by using a single public key. Additionally, the client just obtains 
the responder’s certificate at a time. 



5 Conclusions 

In order to minimize the damage caused by responder’s private key exposure and 
DoS attacks, the distributed OCSP model composed of the multiple responders 
is required in real world. This paper suggests the new distributed OCSP model 
using key-insulated signature scheme. In our model, the client needs to check 
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Table 1. Comparison between traditional D-OCSP and our D-OCSP 





Traditional (DSA) 


Proposal (KIS) 


size of resposes 
validation of certificate 
signing verification cost 
signing cost 


2q -1- size(Cres) 
nothing 
3-h2EXz k| 
2-bEXz \q\ 


3g -b 160 

t-hash computaions 
t -\- 2-t-3EXz 1^1 
2-b2EXz \q\ 



the validation of responder’s private key as well as the traditional certificate. 
Our proposed D-OCSP applies Micali’s revocation system and the client check 
the validation of responder’s private key efficiently than using like the CRL. In 
mobile environment, the client has the restricted processing capacity as well as 
the bandwidth. So our future work is to reduce the computation costs of clients. 
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Abstract. This paper focus on two security services for internet ap- 
plications: authorization and anonymity. Traditional anthorization solu- 
tions are not very helpful for many of the Internet applications; however, 
attribute certificates proposed by ITU-T seems to be well suited and 
provide adequate solution. On the other hand, special attention is paid 
to the fact that many of the operations and transactions that are part of 
Internet applications can be easily recorded and collected. Consequently, 
anonymity has become a desirable feature to be added in many cases. In 
this work we propose a solution to enhance the X.509 attribute certifi- 
cate in such a way that it becomes a conditionally anonymous attribute 
certificate. Moreover, we present a protocol to obtain such certihcates 
in a way that respects users’ anonymity by using a fair blind signature 
scheme. We also show how to use such certificates and describe a few 
cases where problems could arise, identifying some open problems. 
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1 Introduction 

Identity certificates (or puhlic-key certificates) provide the best solution to inte- 
grate the authentication service into most of those applications that are devel- 
oped for the Internet and make use of digital signatures. The use of a wide-range 
authentication service based on identity certificates is not practical unless it is 
complemented by an efficient and trustworthy mean to manage and distribute 
all certificates in the system. This is provided by a Puhlic-Key Infrastructure 
(PKI). 

However, new applications, particularly in the area of e-commerce, need an 
authorization service to describe what the user is granted to. In this case, privi- 
leges to perform tasks should be considered. Thus, for instance, when a company 
needs to establish distinctions among their employees regarding privileges over 
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resources, the authorization service becomes important. Different sets of privi- 
leges over resources (either hardware or software) will be assigned to different 
categories of employees. Also, in those distributed applications where company 
resources must be partially shared through the Internet with other associated 
companies, providers, or clients, the authorization service becomes an essential 
part. 

Authorization is not a new problem, and different solutions have been used in 
the past. However, traditional solutions are not very helpful for many of the In- 
ternet applications. Attribute Certificates, proposed by the ITU-T (International 
Telecommunications Union) in the X.509 Recommendation [14], provide an ap- 
propriate solution. Additionally, the attribute certificates framework defined by 
ITU provides a foundation upon which a Privilege Management Infrastructure 
(PMI) can be built. 

On the other hand, during last years users have paid special attention to 
the problem caused by the fact that many of the operations and transactions 
they carry out through the Internet can be easily recorded and collected. Thus, 
anonymity has become a desirable feature to be added in many cases. 

Since early 80’s many studies have been oriented towards the protection 
of users’ privacy in electronic transactions [4,5,6,18]. Those studies have origi- 
nated with new cryptographic primitives and protocols that have been applied 
to several specific applications oriented to solve some specific problems such 
as electronic cash [8], electronic voting [1,10,12], and others, and some propos- 
als with a multi-purpose point of view that cope with organizations and cre- 
dentials [6,7,9,15,16]. However, such a technology have not been transferred to 
general applications in the real world. To the best of our knowledge, only one 
system have been designed and implemented with a practical point of view [2,3]. 
However, even this system does not follow proposed standards such as X.509 
attribute certificates. 

It is our belief that one of the main steps to transfer such a technology 
to multi-purpose real world applications is the ability to apply them to open 
standard systems. Therefore, in this paper we show a first approach to pro- 
vide anonymity in X.509 attribute certificates, transferring fair blind signature 
schemes to those standard certificates, and defining Anonymous Attribute Cer- 
tificates in which the holder’s identity can be conditionally traceable depending 
on certain conditions. 

The structure of the paper is as follows. In section 2 we briefly argue the 
use of blind signatures as basic construction block for our solution. Section 3 
describes the standard X.509 attribute certificates proposed by ITU-T, and how 
the framework that this type of attributes define is linked to PKIs. Section 4 
describes, throughout three subsections the overview of the scheme, the adapta- 
tion of attribute certificates to support anonymity, and the protocol for a user 
to obtain an anonymous attribute certificate. Section 5 concludes the paper, 
presenting an interesting discussion about results and open issues. 
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2 Blind Signatures as a Basic Construction Block 

It is widely known that blind signature protocols [5] provide a mean for a signer 
to sign a message sent by an entity. The signer is unable to know anything about 
the message, and can not link the signed message with its originator. 

These schemes have been widely studied and applied to solve specific prob- 
lems where anonymity is fundamental, such as electronic voting systems [1,10,12] 
and electronic cash [8]. However, these schemes present an open door for fraud, 
since perfect anonymity offers the best coverage for dishonest behaviour [19]. 
Therefore, these schemes must be used with the maximum of caution, by sub- 
jects under control, and where perfect anonymity is the only solution to the 
problem. 

Other schemes have been developed to avoid that inconvenience. Fair blind 
signature protocols [18,11] try to close the gap between anonymity and fairness. 
In these schemes, the anonymity can be broken and the signed message can be 
linked (only under certain conditions) with the person who requested such a 
blind signature. In these cases, a Trusted Third Party (TTP) is needed in order 
to run the protocol, and the collusion of the TTP with the signer and the signed 
message is a necessary condition. 

3 X.509 Attribute Certificates 

One of the main advantages of an attribute certificate is that it can be used 
for various purposes. It may contain group membership, role, clearance, or any 
other form of authorization. A very essential feature is that the attribute certifi- 
cate provides the means to transport authorization information in distributed 
applications. This is especially relevant because through attribute certificates 
authorization information becomes ” mobile” , which is highly convenient for In- 
ternet applications. 

The mobility feature of attributes have been used in applications since the 
publication of the 1997 ITU-T X.509 Recommendation [13]. However, it has been 
used in a very inefficient way. That recommendation introduced an ill-defined 
concept of attribute certificate. For this reason, most of actual applications do 
not use specific attribute certificates to carry authorization information. On the 
contrary, attributes of entities are carried inside identity certificates. The sub- 
jectDirectoryAttributes extension field is used for this purpose. This field conveys 
any desired directory attribute values for the subject of the certificate, and is 
defined as follows: 

subjectDirectoryAttributes EXTENSION : := 1 
SYNTAX AttributesSyntax 

IDENTIFIED BY Id-ce-subjectDirectoryAttributes } 
AttributesSyntax : := SEQUENCE SIZE (1..MAX) OF Attribute 

This solution does not make entity attributes independent from identity, 
what can cause problems. Firstly, this is not convenient in the frequent situations 
where the authority issuing the identity certificate is not the authority for the 
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assignment of privileges. Secondly, even in the situations where the authority is 
the same one, we must consider that life of identity certificates is relatively long 
when compared to the frequency of change of user privileges. Therefore, every 
time privileges change it is necessary to revoke the identity certificate, and it is 
already known that certificate revocation is a costly process. 

Moreover, many applications deal with authorization issues like delegation 
(conveyance of privilege from one entity that holds a privilege to another entity) 
or substitution (one user is temporarily substituted by another user, and this 
one holds the privileges of the first one for a certain period of time). Identity 
certificates support neither delegation nor substitution. 

The most recent ITU-T X.509 Recommendation of year 2000 provides an 
approach to these problems because it standardizes the concept of attribute cer- 
tificate, and defines a framework that provides the basis upon which a PMI can 
be built. Precisely, the foundation of the PMI framework is the PKI framework 
defined by ITU. In fact, ITU attribute certificates seem to have been mainly pro- 
posed to be used in conjunction with identity certificates; that is, PKI and PMI 
infrastructures are linked by information contained in the identity and attribute 
certificates (figure 1). 




Fig. 1. Relation between identity and attribute certificates 



Although linked, both infrastructures can be autonomous, and managed in- 
dependently, what provides a real advantage. In the most recent recommenda- 
tion, attribute certificates are conveniently described, including an extensibility 
mechanism and a set of specific extensions. A new type of authority for the 
assignment of privileges is also defined, the Attribute Authority (AA), while a 
special type of authority, the Source of Authority (SO A), is settled as the root 
of delegation chains. The recommendation defines a framework that provides 
a foundation upon which a PMI is built to contain a multiplicity of AAs and 
final users. Revocation procedures are also considered by defining the concept 
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of Attribute Certificate Revocation Lists, which are handled in the same way as 
Certificate Revocation Lists, published by Certification Authorities (CAs) in the 
PKI case. 

As shown in figure 1, the field holder in the attribute certificate contains the 
serial number of the identity certificate. As mentioned in [17], it is also possible 
to bind the attribute certificate to any object by using the hash value of that 
object. For instance, the hash value of the public key, or the hash value of the 
identity certificate itself, can be used. All possibilities for the binding can be 
concluded from the ASN.l specification of the field holder, where other related 
data structures are also specified: 

Holder : : = SEQUENCE { 
baseCertif icatelD 
entityName 
ob j ectDigest Inf o 

} 

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 

GeneralName : := CHOICE { 
otherName 
rf c822Name 
dNSName 
x400Address 
directoryName 
ediPartyName 

unif ormResourceldentif ier 
iPAddress 
registeredID 

} 

ObjectDigestInfo : := SEQUENCE ■[ 
digestedObjectXype ENUMERATED •[ 
publicKey (0) , 

publicKeyCert (1) , 

otherObjectTypes (2) 

}, 

otherObjectTypelD OBJECT IDENTIFIER OPTIONAL, 

digest Algorithm Algorithmidentif ier , 

obj ectDigest BIT STRING 

} 

As we will see in next section, the content of this specification is essential for 
the scheme that we have developed. 

4 Introducing Anonymity into Attribute Certificates 

4.1 Overview of the Scheme 

Our scheme coexists with standards PMI and PKI. While a PKI provides sup- 
port for users’ identities, the AA issues certificates about attributes that the 



[0] INSTANCE OF OTHER-NAME, 

[1] lASString, 

[2] lASString, 

[3] ORAddress, 

[4] Name , 

[5] EDIPartyName , 

[6] lASString, 

[7] OCTET STRING, 

[8] OBJECT IDENTIFIER 



[0] IssuerSerial OPTIONAL, 

[1] GeneralNames OPTIONAL, 

[2] ObjectDigestInfo OPTIONAL 
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users hold. Additionally, we suppose that some organizations provide services to 
users based on their respective attributes. We have introduced in the scheme a 
TTP which provides (in collusion with the AAs) the ability to disclose anony- 
mous users’ identities. Some of the AAs will have the special capacity to issue 
anonymous attribute certificates. Each of those AAs is in connection with sev- 
eral Attribute sub- Authorities, that will be in charge of verifying that a user 
fulfills the requirements needed to obtain an “anonymous” certificate containing 
a specific attribute (figure 2) . 




Fig. 2. System Overview 



The role that the actors play in our solution can be roughly seen as follows. 
A user can anonymously acquire as many pseudonyms as he needs from the 
TTP, where the validity of the pseudonyms are limited in time. Every obtained 
pseudonym is composed by two related parts: one of them is public and the other 
one is private. In the following we will refer these parts as public pseudonym and 
private pseudonym respectively. The TTP keeps such a relationship until the 
end of the validity period. For each anonymous certificate that the user wants 
to get, he will collect all proofs needed to apply for a specific attribute (or set 
of attributes), and will send the proofs, together with his identity and his public 
pseudonym, to the Attribute sub- Authority in charge of verifying such proofs. 
If the set of proofs is complete, a special token related to the public pseudonym 
will be issued (by using a fair blind signature scheme), and a link stating the 
relationship between the user’s identity and his public pseudonym will be stored. 

This special token will be modified (again, using a fair blind signature scheme) 
by the user in order to hide its relationship with the public pseudonym and will 
reflect, since that moment, the relationship with the private part. This token, 
now associated with the private pseudonym, will be used by the user to anony- 
mously apply for an anonymous attribute certificate to the AA. Note that if the 
anonymous user holds that token, then he fulfills the requirements needed to get 
the certificate containing a (set of) specific attributes. 
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Once the A A checks that everything is correct, it issues the certificate of the 
attributes that corresponds with the Attribute sub-Authority that issued such 
a token. As stated, these certificates are issued anonymously and are related 
with the user’s private pseudonym. Therefore, nobody can link them with the 
real users’ identity unless the TTP and the Attribute sub-Authority collude and 
some conditions are met. By definition, it is supposed that the TTP will remain 
trusted and will not reveal the link between both parts of the pseudonym unless 
a condition expressed in the certificate is fulfilled and such a condition is signed 
by the user and the A A. 

The user will make use of the attribute certificate in order to enforce his 
privileges. As it is anonymous, it is not linked to any PKI. However it contains a 
public key and the user who knows the corresponding private key is considered 
the one who owns such an attribute. 

4.2 Adapting Attribute Certificates to Support Anonymity 

In section 3 we have mentioned that the field holder of the attribute certificate 
can contain the digest of any object. Thus, we will define an object, called 
Pseudonym Structure (figure 3), to support the conditionally anonymity of the 
owner and will link such an object with the attribute certificate by using this 
field. The pseudonym structure fields are the following ones: 



Pseudonym Structure Label 
Pseudonym 
TTP Identifier 
Condition 

Signature Aigorithm 
Public Key 

Signature 




- 


Version Number 


Seriai Number 


Signature Aigorithm 


Issuer 


Validity Period 


& Holder 


Attributes 


Issuer Unique Identifier 


Extensions 




AA Signature 



Fig. 3. Relation between pseudonym structure and attribute certificate 



~ Pseudonym Structure Label: A static field that allows us to interpret the 
object as a proper pseudonym structure. 

— Pseudonym: The holder’s private pseudonym, issued by the TTP specified 
in the next field. 

_ j'j'p Identifier: The issuer of the pseudonym, that keeps a record linking 
the private pseudonym with the public one. 

~ Condition: The condition under which, if fulfilled, both the TTP and the 
AA will collude and will reveal the user’s identity. 
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— Signature Algorithm: Identifies the algorithm for signature and verification 
of documents using the public key stored in the next field. 

~ Public Key: The key used to authenticate the owner of the attribute certifi- 
cate in such a way that the anonymous user who holds the corresponding 
private key will be the attribute owner. For a proper authentication proce- 
dure, the anonymous user should sign a challenge with that private key every 
time that authentication is needed. 

~ Signature: The anonymous user signs the pseudonym structure to prove that 
it is a valid structure and that he knows the corresponding private key. 
Moreover, the signature is the proof that the anonymous user accepts the 
condition stated above with respect to revealing his real identity. 

We will define a conditionally anonymous X.509 attribute certificate as the 
attribute certificate itself together with the pseudonym structure, linked by mean 
of the holder field as stated before. The attribute certificate is signed by the 
attribute authority, what means that the AA agrees on the terms expressed in the 
linked pseudonym structure. Therefore, the user should know the authorization 
policy and the conditions under which an attribute certificate request is granted. 

It is supposed that the TTP will not reveal pseudonym links unless the 
condition stated in the certificate is fulfilled. It is also supposed that the user will 
not transfer his anonymous attribute certificate by revealing the corresponding 
private key to any other user. This is probably the weakest requirement in our 
solution and it needs a further study, as discussed later. 



4.3 Protocol to Obtain and Use an Attribute Certificate 

In this subsection we will explain the protocol to obtain an attribute certificate, 
and how it can be used. This protocol uses as fundamental construction block 
the fair blind signature scheme presented in [18] under the name of fair blind 
signatures with registration. Most of the structure of Parts I and II of our pro- 
tocol correspond with the aforementioned protocol, but the nomenclature has 
been adapted, and an abstraction of the protocol has been used to masquer- 
ade the underlying mathematics. Additionally, in Part II, some steps have been 
introduced to adapt it to our scheme. 

The cryptographic nomenclature used in the protocol is shown in Table 1. 
Actors involved in the protocol can be seen as follows: 

~ Actors and terminology 

• U is the user. His certified public key, Upubi, is supported by an external PKI. 

• A is a user’s anonymous asymmetric key with no PKI support. 

• P is a user’s pseudonym. It has a public part PpuU, which is associated to the 
user, and a private part, Ppriv 

• The Trusted Third Party [TTP] provides pseudonyms to users and keeps a 
link between both parts (public and private) of the pseudonym. 

• The Attribute Authority [AA] provides attribute certificates, and its certified 
public key AApubi is supported by an external PKI. 
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Nomenclature 


Meaning 


A : act 
A —> B •. m 
m = {mi, m 2 ) 


A's action act 

m is sent from T to B 

m is composed by mi and m 2 


c = Ez (m) 
m = Dz (c) 


m is encrypted with the symmetric key 2 : 
c is decrypted with the symmetric key 2 


Apubl ; Apziv 
c = Ea (m) 
m = Da (c) 
h = H (m) 

Sm. = (m) 

nis = Sa {m) 
b ^Vl {ma) 


A's asymmetric public and private keys 
m is encrypted with A's asymmetric public key 
c is decrypted with A' s asymmetric private key 
m' s one way hash function 

m' s message signature with A' s asymmetric private key 
[S^ {m)<^EAp„AH{m))[ 

Signed message composed by the message m and 
its signature with A' s asymmetric private key 
[Sa (m) 44> (m,SA (m))[ 

Verify the signed message with A' s asymmetric public key 

[Vl {ms) ^ [h {m') = Dapm M))] / [m, = {m',SA (m))[ 


z = NSK{) 
A = NAK{) 


Create new symmetric key 2 
Create new asymmetric key pair for A 


Table 1. Cryptographic protocol nomenclature 



• The Attribute sub Authorities [AA'' / V i € Attributes] verify that a user fulfills 
the requirements needed to apply for an attribute certificate on ATTR' . Their 
certified public key AA'pubi are supported by an external PKI. 

• ATTR' is the attribute for which the Attribute subAuthority [AA’ / V i € 
Attributes] checks for requirement fulfillment, and for which the Attribute Au- 
thority [AA] provides attribute certificates. 

• ATTR’if is the proof that the user U fulfills the requirements to apply for the 
attribute i. 

• SP is a Serviee Provider that offers services to those users that have the 
attribute certificate ATTR’ . 

• fpubi and fpriv are two flags that specify which part of the pseudonym is public 
and which one is private. 

• valjperiod is the period in which the pseudonym remains valid. 

• fblind^ (m) represents that the message m is protected to be “fair blind” 
signed by X. 

• {/blind X (™.)) is the fair blind signature of X over message m under the 
public pseudonym Ppubi, as specified in [18]. 

p 

• Sx"'" i'm) is the fair blind signature of X over message m under the private 
pseudonym PpHv, after transforming the public blind signature to the corre- 
sponding private clear form. It is composed by the message and the fair blind 
signature under Ppriv- 

The whole protocol is divided into the following parts: 

Part I. Obtaining a Pseudonym. This part corresponds with the registration 
phase in the fair blind signatures with registration protocol from [18]. It deals 
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with the user’s acquisition of a pseudonym. The user will request a pseudonym 
from the TTP that is able to produce valid pseudonyms. This TTP must be 
recognized by the entity that issues the attribute certificates. This TTP will 
create a new pseudonym, which consists of two parts, the public and the private 
parts, respectively. Both parts must be created in a related way that makes 
possible the fair blind signature. The TTP will store and keep such a linked 
pair, so that the relation could be disclosed if some conditions are met. Then, 
both parts will be signed (with a flag identifying its purpose and its validity 
period) and sent to the user who requested them. This part of the protocol is 
achieved in an anonymous way and the TTP does not know anything about the 
user who requests a pseudonym. This part will be run whenever a user needs a 
new pseudonym. 

1. U : z = NSKQ 

2. U ^ TTP : Ettp {z, Pseudonym-Request) 

3. TTP : New -Pseudonym {Ppubi, PpHv) 

4. TTP : STORE {vaLperiod, Ppubi Ppriv) 

5. TTP ^ U : E^ {Sttp {fpubi, vaLperiod, Ppubi), Sttp {fpHv, vaLperiod, PpHv)) 

Part II. Obtaining a Fair Blind Signature. This part of the protocol cor- 
responds with the phase of getting a signature in the fair blind signatures with 
registration protocol from [18]. In this phase, the user obtains a message signed 
by the Attribute sub Authority [A A®] in charge of verifying fulfillment of the 
requirements needed to get a certificate over the attribute i. The way in which 
the fair blind signature operates guarantees that the signer is unable to know 
what he is signing, and that the signature is done over a public pseudonym re- 
lated with the user, but such a relationship will be removed by transforming the 
signature over the private pseudonym. 

Therefore, in this phase, the goal of the user is to obtain a proof that reveals 
that its owner fulfills the requirements needed to get an attribute certificate on 
a specific attribute. However, nobody must be able to link such a proof with the 
user. 

In our protocol, the proof that a user fulfills a set of requirements consists 
of a public key signed by the authority in charge of verifying such requirements. 
The owner of the signed public key remains anonymous; that is, nobody is able 
to establish a relationship with the user that created it. However, the signature 
has a link with a private pseudonym, but nobody knows who the owner is. At the 
moment of issuing the fair blind signature the authority operates over a public 
pseudonym that is able to relate with the user’s identity. 

Thus, in the second part of the protocol the user creates a new asymmetric 
key pair (this key pair will be associated with the attribute certificate). He 
prepares such a public key to be fair blind-signed by the authority in charge and 
sends it together with information about the TTP, his public pseudonym and 
the set of proofs that show that the user fulfills the needed requirements. 

The authority checks that the pseudonym is valid and that the TTP is rec- 
ognized, and then checks if the user fulfills the requirements needed in order to 
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get a certificate containing the attribute i. These requirements depend on the 
entity’s policy. 

If the requirements are met, this information is stored for its later use and 
the public key will be fair blind signed over the public pseudonym. Once the 
user gets that signature, he transforms it into a clear signature of the public key 
over the private pseudonym. 

1. U : N = NAKQ 

2. U ^ AA' : Su {TTP, Sttp {fpuU, vaLperiod, Ppuu), ATTR\j, fblind^j^i (Npubi)) 

3. AA' : IF {-'Vttp (Sttp {fpubi, vaLperiod, Ppubi)) 

V —ifulfilPreq (^U , TTP, Pp^bi, ATTR\j'j') THEN Abort 

4 . AA' : STORE ( U ATTR'u TTP ^ Sttp {fpuU, vaPperiod, Ppuu)) 

5. AA'^ U : ifblind^^i (7V^„ii)) 

6 . U : s'/;: (NpM) 

Part III. Obtaining a Conditionally Traceable Attribute Certificate. 

In this part of the protocol, the user will use the anonymous proof obtained in 
the previous part in order to apply for a standard attribute certificate. Thus, 
the user creates a structure to hold the information about his pseudonym and 
signs it to state that such information is correct and that the owner (the one 
who knows the private key associated with the public key) agrees on the terms 
expressed in such a structure. 

At that moment, the user sends the proof obtained in the previous part, that 
is, the fair blind signature of the public key linked with the private pseudonym, 
the proof that the private pseudonym is valid, and the structure previously 
created. 

The AA will verify every signature and will check the terms expressed in such 
a structure, specially in the condition under which the user’s real identity will 
be revealed. Therefore, provided that the terms are signed by the holder and 
by the authority, the TTP will reveal the link between the private pseudonym 
and the public one whenever the attribute certificate is presented to the TTP 
and condition is verified. Additionally, the A A will reveal the link between the 
public pseudonym and the user’s identity. 

When everything works correctly, the AA creates an attribute certificate for 
a validity period stating that the holder of the related structure possesses such 
a specified attribute, and sends it to the user. The holder of such a structure is 
the one who knows the private key associated with the public key in it. 

1. U : Pseud-Inf = Sn {Labelpi, PpHv, TTP, Cond, Sig-Alg, Npuu) 

2 . U ^ AA ■. (^Sttp {fpriv,val -period, Ppriv), s’^/f {Npubi), Pseud-Inf^ 

3. AA : IF (^-^Vttp {Sttp {fpriv, vaLperiod, Ppriv)) V {s'//: {Npubi)'j 

V-iV/v {Pseud-Inf) V {^Agree-on {Cond))) THEN Abort 

4 . AA : = Attr -Certs AA (V ers, Serial, Sig-Alg, AA,VaLPeriod,H {Pseud-Inf ),ATTR') 



5. AA U : Attr-Cert 
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Part IV. Using a Conditionally Traceable Attribute Certificate. In this 
part we show how the attribute certificate obtained in the previous part can be 
used. A user will send his anonymous attribute certificate plus the pseudonym 
information associated to any service provider, SP. This will verify that such 
a message is correct and that the certified attribute is enough to access to the 
service, sending a request to the anonymous user for the signature of a challenge 
in order to prove ownership. If the challenge is correctly signed then the service 
is granted to the user. 

1. U —> SP : {Attr^Cert, Pseud^Inf) 

2. SP : IF (^-^VAa {Attr.Cert) V {^H {Pseud Jnf) / Holder. Field {Attr.Cert)^ 

V -ifulfill.req {Service, Attr .Cert, Pseud.Inf)'^ THEN Abort 

3. SP U : challenge 

4. U ^ SP : Sn {challenge) 

5. SP : IF (-'V/v {Sn {challenge))) THEN Abort 

6. SP —> U : Service. granted 

If the user misuses his privileges obtained through an anonymous attribute 
certificate, then the service provider will collect all the proofs of that misuse, and 
will send them to the AA and the TTP requesting the revocation of the attribute 
certificate and revealing the user’s identity (for an eventual prosecution) . In these 
cases, it could be interesting that the challenge includes a timestamp and the 
transaction identification besides the random bits, in order to prove misuses 
where time is important. 

5 Discussion and Future Work 

New applications, particularly in the area of e-commerce, need an authoriza- 
tion service to describe privileges to perform tasks. Traditional authorization 
solutions are not very helpful for many of the Internet applications; however, at- 
tribute certificates proposed by ITU-T are well suited to solve this problem. On 
the other hand, during last years, users have paid special attention to the prob- 
lem caused by the fact that many of the operations and transactions they carry 
out through the Internet can be easily recorded and collected. Thus, anonymity 
has become a desirable feature to be added in many cases. 

We have presented a first approach to extend X.509 attribute certificates with 
anonymity capabilities, as well as a protocol to obtain certificates preserving 
user’s anonymity by using a fair blind signature scheme. 

The approach could be improved and adapted depending on the different 
scenarios where to be applied. We explain now how several improvements can 
be added to our scheme in order to have a better behavior. 

In some applications when a user applies for a certificate, the system should 
provide a receipt of such a request in order to guarantee that the system will 
process it appropriately. Whenever the system replies to that request, it should 




414 Vicente Benjumea et al. 



get a receipt in order to prove that its duty was achieved properly. In those 
systems a fair non-repudiation scheme [20] should be used. 

Moreover, in order to improve the user’s anonymity, an anonymous commu- 
nication channel (such as a mixnet [4]) could be used in part I, III and IV of the 
protocol to masquerade the originator IP address. This scheme should be used 
in systems where user’s anonymity is the most important requirement to the 
system and user’s identity could be guessed using the IP address of the message 
originator. 

In order to avoid the possibility that organizations create anonymous user 
profiles, a user can run the protocol several times to get the same attribute 
certificate under a different pseudonym. However, it would be interesting to get 
a pseudonym with one public part and many private ones, in such a way that 
it would be only necessary to re-run part III of the protocol in order to get the 
attribute certificate under different pseudonyms (all related to the same public 
part). 

The solution that we propose in tgis work does not solve all problems that 
could arise in a multi-purpose anonymous attribute system. We believe that the 
main drawbacks in our actual solution are: 

— The user’s identity in part II of the protocols could be linked with the private 
pseudonym in part III of the protocols if, during the protocol run, such a 
user is the only one who has an unfinished open request and the AA colludes 
with the Attribute sub Authority. Thus, the interleaving of user’s requests 
between part II and part III is very important in our protocol. 

— Actual version of the protocol does not avoid that the anonymous user Ui 
transfers the use of his anonymous attribute certificate to another anonymous 
user U2 just by letting U2 know the associate private key. U\ and U2 would 
share in this way the use and advantages of possessing that attribute, even 
if U2 does not posses it. This is, of course, one of the most important areas 
where we will focus our further research. 
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Abstract. Boneh and Venkatesan have proposed a polynomial time 
algorithm in a non-uniform model for recovering a ’’hidden” element 
a € IFp, where p is prime, from very short strings of the most signif- 
icant bits of the residue of at modulo p for several randomly chosen 
t e IFp. Here we modify the scheme and amplify the uniformity of dis- 
tribution of the ‘multipliers’ t and thus extend this result to subgroups 
of IF*, which are more relevant to practical usage. As in the work of 
Boneh and Venkatesan, our result can be applied to the bit security of 
Diflie-Hellman related encryption schemes starting with subgroups of 
very small size, including all cryptographically interesting subgroups. 



Keywords: Hidden number problem, Diflie-Hellman key exchange. Lattice reduc- 
tion, Exponential sums, Waring problem in finite fields. Nonuniform algorithm 

1 Introduction 

For a prime p, denote by Fp the field of p elements and always assume that it is 
represented by the set {0,l,...,p — 1}. Accordingly, sometimes, where obvious, 
we treat elements of Fp as integer numbers in the above range. 

For a real rj > 0 and t € Fp we denote by MSBp (t) any integer which satisfies 
the inequality 

|t-MSBp(t)| <p2-’^-i. (1) 

Roughly speaking, MSBp(t) is an integer having about p most significant bits as 
t. However, this definition is more flexible and better suited to our purposes. In 
particular we remark that p in the inequality (1) need not be an integer. 

Given a subgroup Q C F* we consider the following hidden number problem 
over Q: 

Recover a number a € Fp such that for k elements t\, . . . ,td G G, chosen 
independently and uniformly at random from G, we are given k pairs 
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for some rj > 0. 

For Q = IF* this problem has been introduced and studied by Boneh and 
Venkatesan [3,4]. In [3] a polynomial time algorithm is designed which recovers 
a for some rj ~ (logp)^/^ and k = O(log^^^p). The algorithm of [3] has been 
extended in several directions. In particular, in [8] it is generalised to all suf- 
ficiently large subgroups Q C F*. This and other generalisations have led to 
a number of cryptographic applications, see [20,21,22]. Using bounds of expo- 
nential sums from [9,11] it has been shown that the algorithm of [3] works for 
subgroups Q C F* of order ffQ > where for any £ > 0 and sufficiently large 
p one can take 

— V = \j‘i for all primes, 

— v = 0 for almost all primes p. 

Using a recent improvement of [5] of the bounds of exponential sums over small 
subgroups of F* one can obtain the same result with i/ = 0 for all primes p and 
thus extend the results of [3,8] to subgroups of order ffQ > p®. 

For Q = F* in [4] an algorithm is constructed which works with much smaller 
values rj ~ log log p, however this algorithm is non-uniform. This means that if 
the points t\, . . . ,tk G Q are known in advance, one can design (in exponential 
time) a certain data structure, that now given k values MSB,j(Q;ti), i = 1, . . . ,k, 
the hidden number a. can be found in polynomial time. In the present paper we 
extend the algorithm of [4] to essentially arbitrary subgroups of F*. As in [4] we 
discuss possible applications of our algorithm to proving bit security results for 
several exponentiation based cryptographic schemes. 

As in [3,4], the method is based on some properties of lattices, but also 
makes use of exponential sums, however not in such a direct way as in [8]. 
Namely, we introduce certain new arguments allowing to amplify the uniformity 
of distribution properties of small subgroups Q . This allows us to use the bound 
of exponential sums from [10] with elements of Q, which is very moderate in 
strength (and does not imply any uniformity of distribution properties of Q 
which would be the crucial argument of the method of [8]). The bound of [10] 
has however the very important advantage over the bounds of [5,9,11] that it 
applies to subgroups of order 

ffQ> . 

(loglogp)i-® 

It is interesting to note that our approach has links with the famous Waring 
problem which has been studied in number theory for several hundred years. 
In fact, the Waring problem in finite fields has been the main motivation of 
the bound of exponential sums of [10] which we use in this paper. For surveys 
of recent results on this problem see [6,10,25]. We also remark that a uniform 
algorithm, which is also based on a similar use of the bound of [10] and which 
improves the results of [8] , has recently been proposed in [23] . 
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Throughout the paper log x always denotes the binary logarithm of a; > 0 
and the constants in the ‘O’-symbols may occasionally, where obvious, depend 
on a small positive parameter e: and are absolute otherwise. We always assume 
that p is a prime number with p > 5, thus the expression loglogp is defined (and 
positive). 
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2 Exponential Snms and Distribntion of Short Snms of 
Elements of Subgroups 



For a complex z we put 6p(z) = exp(27riz/p). 

Let T = T|(p — 1), be the cardinality of a subgroup Q C F*. If we put 
n = {p — 1)/T then each element r G Q has exactly n representations r = x” 
with X G F*. Therefore, for any A G Fp, 

H ep (Ar) = ^ 6p (Ax") . 

r^Q ^ xGIF* 



Now by Theorem 1 of [10] we have the following bound, see also [6,11]. 



Lemma 1. For any 1 > £ > 0 there exists a constant c{e) > 0 such that for any 
subgroup Q C F* of order 

rj. > logP 
“ (loglogp)i-® 



the hound 



max 

gcd(A,p) = l 



^ 6p (Ar) 
reG 



< T 1 - 



c(g) A 

(logp)i+V 



holds. 



For an integer k>l,& subgroup Q C F* and t G Fp we denote by Nk{G, f) 
the number of solutions of the equation 

ri -I- . . . -I- rfc = t (modp), ri, . . . , G IJ. 

Recalling the relation between the set of nth powers, where n = (p — 1)/T, we 
see that studying the above congruence is equivalent to studying the congruence 

x^ + ... + xf.=t (modp), xi, . . . ,Xfc G Fp. 

The problem of finding the smallest possible value of k for which the congruence 
(or in more traditional settings the corresponding equation over 2) has a solution 
for any t is known as the Waring problem. However for our purposes just a 
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solvability is not enough. Rather we need an asymptotic formula for the number 
of solutions. 

We show that Lemma 1 can be used to prove that for reasonably small k, 
Nk{G,t) is close to its expected value. 

Lemma 2. For any 1 > e > 0 there exists a constant C{e) >0 such that for 
any subgroup Q C F*, of order 



T > 



logP 

(log log p) 



l — £ 



the hound 



max 



'Y'k 

Nk{G,f) 

p 






< 2 
rpZ 



holds for any integer k > C{s){logp)^'^^ . 

Proof. The well-known identity (see for example [14, Chapter 5.1]) 




if M ^ 0 (mod p), 
if M = 0 (mod p ) , 



implies that 



Nk{G,a) 



ri,...,r eg A=0 

1 

Pt'o 



P-1 



Gp (A(n + . . . + rk - t)) 




Separating the term /p, corresponding to A = 0, and applying Lemma 1 to 
other terms, we obtain 



max 



Nk{G,t) 



'j^k 

p 



< 



( 1 - 

V (logp)i+‘^ 



k 

= r'=exp(C>(fc(logp)-i-'^)) 



and the desired result follows. 



□ 



3 Rounding in Lattices 

Let B = (bi, . . . , bg)^ S be a nonsingular s x s matrix over the set of real 

numbers IR with rows bi, . . . ,bg. The set of vectors 
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spanned by the rows of B, is called an s-dimensional full rank lattice associated 
with the matrix B. The set {bi, . . . , b^} is called a basis of C. 

One of the most fundamental problems in this area is the closest vector 
problem. This problem can be defined with respect to any vector norm ||r<;|| as 
follows: given a basis of a lattice C in and a target vector u e M®, find a 
lattice vector v G £ with 



||u — v|| = dist (u, £) 



where 

dist (u,£) = min {||u — z|j | z G £} . 

It is well known that the closest vector problem in the Euclidean norm is NP- 
hard (see [16,17] for references). However, its approximate version [2] admits a 
polynomial time algorithm which goes back to the lattice basis reduction algo- 
rithm of Lenstra, Lenstra and Lovasz [12], see also [1] for more recent develop- 
ments. 

However, it has been noticed in [4] that for some special class of lattices a 
simple rounding technique gives an exact solution to the closest vector problem. 
Here we summarise several results from [4] which underlie this technique and its 
applications to the hidden number problem. 

For our purposes the Li-norm is most relevant thus from now on we always 
assume that ||w|| = X]i=i 1'*^*! Ti-norm of w = {wi, . . . ,Ws) G IR®, in 

particular dist (u, £) is always assumed to be defined with respect to the Li- 
norm. 

Given a target vector u G M®, using standard linear algebra tools, we find 
its representation in the basis {bi, . . . , b^} 

S 

u = ^ Wthi 



and then put 

[u] = [w*l b, 

i=l 

where for w G M, [w] denotes the closest integer (in the case of 2w G 2 we put 
[w] = [wj). Clearly, [u] G £ but certainly it is not the closest (or even just a 
close) vector. 

Now, for a matrix C G IR®^® with columns cf,...,c^, we introduce the 
following measure 

p{C) = max \\cj\\. 

1<J<S 



The following statement, which is essentially [4, Lemma 2.1], gives a sufficient 
condition under which [u] is a solution to the closest vector problem for u. 
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Lemma 3. If 






2dist (u, £) 



then 



II u- [u] II = dist(u,£). 

We consider the lattice C{t\, ■ ■ ■ ,td) spanned by the rows of the matrix 

( p 0 ... 0 0 \ 

Op ■ • : : 



B{ti, ...,td) = 



: 0 : 

0 0 ... p 0 

\ti t2 ...tdlj 



The next statement follows from [4, Theorem 2.2]. 

Lemma 4. Let p be a prime and d > 4 + logp + loglogp. Let ti,. . . ,td G 
{0, 1, . . . ,p— 1} be integers chosen uniformly and independently at random. Then 
with probability at least 1/2 there exists a basis of the lattice Cfti, . . . ,td) spanned 
by rows of a certain matrix C with entries of polynomial size (logp)*^*^^) and with 



4 Nonuniform Algorithm 

For an integer w we denote by [tcj ^ the remainder of w on division by p. 

Assume that for a G F/ and a subgroup Q C F* of order T, generated by 
g G Fp, we are given an oracle such that for every a; G {0, Ij • ■ • , F — 1}, 

it returns MSB^ 

Theorem 1. For any 1 > e > 0 there exists a constant a(e) > 0 such that, for 
p = a(e) loglogp, for any g G F* of order 

j, ^ logp 
“ (loglogp)i-® 

after taking a polynomial number (logp)*^!^! of advice bits depending only on 
p and Q but independent on a, one can design a deterministic algorithm which 
makes O ((logp)^+^) calls of the oracle TiMV^ and then recovers a in polynomial 
time. 

Proof. Put 

d= 5+ [logp + loglogp], k= [C(£)(logp)2+n. 



where C{e) is given by Lemma 2. 
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The advice bits which we request describe: 

— the values of ti, . . . ,td G Fp for which the lattice £{ti ,td) is spanned by 
a matrix C with 

P-.) ^ 

P 

which exist by Lemma 4, and the above matrix C; 

— the exponents Xhj, h = 1 , . . . ,d, j = 1 , . . . with 

k 

= (modp), h=l,...,d, 

i=i 

which exist by Lemma 2. 

We call the oracle with a; = 0 getting an approximation uq = MSBp(a). 
Now we call the oracle TiNV^ for the dk integers 



Thj = &G, j = l,...,k, h=l,...,d, 

and get integers Uhj with 

\[arhj\p-Uhj\ <p/2^+\ h=l,...,d, j =l,...,k. 

For h = 1,2, ... ,d we put 

k 

= th = 

i=i 

where all the additions are over 2. 

Note that for sufficiently large p, 

\vh - Uh\ < kp/2^+^ < _p/2''+\ 



E 

i=i 



rhj 



k 

i=i 



where 

g = pL — log k > log {3d{d + 1) logp) . 

for an appropriate value of a(£r) and sufficiently large p. 
Letting u = {ui, . . . ,Ud, uq), we obtain 



dist (u,£(ti, . . . ,td)) < {d+ l)p/2''+b 



Therefore, 



3d log p ^ 2^ ^ 1 

^ p ~ {d+l)p ~ 2dist {u,C{ti,...,td)) 



and the result follows by Lemma 3. 



□ 
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5 Application to DifRe-Hellman Related Schemes 

Our result applies to the establishing bit security of the same exponentiation 
based cryptographic schemes as those of [4]. Such schemes include, but are not 
limited to, the Okamoto conference sharing scheme and a certain modification 
of the ElGamal scheme, see [4] for more details. 

The main distinction between our result and that of [4] is that we do not 
need anymore assume that the generating element is a primitive root, which is 
a rather impractical assumption. Indeed, in practical applications of the Diffie- 
Hellman and other related schemes, one would probably choose a subgroup of 
F* of prime order T. Moreover, it is quite reasonable to choose T of size about 
exp (c(logp)^/^(loglogp)^/^) for some constant c > 0, in order to balance time 
complexities of the number field sieve based attacks and Pollard’s rho-method 
based attacks, see [7,15,18,19,24]. Thus our result closes the gap between the 
settings of [4] and settings more relevant to practical usage of the above schemes. 

It also seems to be plausible that one can obtain similar, albeit slightly 
weaker, results for other cryptographically interesting subgroups in finite fields 
and rings, for which relevant bounds of character sums are available. For exam- 
ple, such bounds are known for XTR subgroups, see [13]. 
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Abstract. We develop cryptographically secure techniques to guarantee uncon- 
ditional privacy for respondents to polls. Our constructions are efficient and prac- 
tical, and are shown not to allow cheating respondents to affect the “tally” by 
more than their own vote — which will be given the exact same weight as that 
of other respondents. We demonstrate solutions to this problem based on both 
traditional cryptographic techniques and quantum cryptography. 

Keywords: binary symmetric channel, oblivious transfer, polling, privacy, privacy- 
preserving data-mining, randomized response technique 



1 Introduction 

In some instances, privacy is a matter of keeping purchase information away from tele- 
marketers, competitors, or other intruders. In other instances, privacy translates to secu- 
rity against traffic analysis, such as for web browsing; or to security of personal location 
information. In still other instances, which we study in this paper, privacy is a precon- 
dition to being able to obtain answers to important questions. Two concrete examples 
of instances of latter are elections and survey s/polls. 

While the first of these examples is the one of the two that has received — by far — the 
most attention in the field of cryptography, there are important reasons to develop better 
privacy tools for polling. Surprisingly, the two examples (namely, elections and polls), 
while quite similar at a first sight, are very different in their requirements. Since it is 
typically the case that there is more funding available for providing privacy in elections 
than in surveys and polls, it follows that the tallying process in the former may involve 
more costly steps than that in the latter — whether the process is electronic (using, e.g., 
mix networks) or mechanic. Second, while in the case of the voting scheme, we have 
that users need to entrust their privacy with some set of authorities, it is often the case 
that there is less trust established between the parties in polls. Yet another reason to 
treat the two situations separately is that elections involve many more respondents than 
polls typically do, thereby allowing a unique opinion (e.g., vote) to be hidden among 
many more in the case of elections than in the case of polls. Finally, while elections 
require as exact tallying as is possible, statistical truths are both sufficient and desirable 
in polls. This allows the use of polling techniques that are very different from election 
techniques — in terms of their cost; how tallying is done; and how privacy is protected. 
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While not given much attention in cryptography, important work on polling has 
been done in statistics. In particular, the randomized response technique (RRT) was 
proposed by Warner [War65] in 1965, with the goal of being used in polls relating to 
sensitive issues, such as drug abuse, sexual preferences and shoplifting. The underlying 
idea behind Warner’s proposal (alternative RRTs have been proposed since then) is for 
respondents to randomize each response according to a certain, and known, probability 
distribution. More precisely, they answer the question truthfully with some probability 
Pet > 1 /2, while with a fixed and known probability 1 — pet they lie. Thus, users can 
always claim that their answer — if it is of the “incriminating” type — was a lie. When 
evaluating all the answers of the poll, these lies become statistically insignificant given 
a large enough sample (where the size of the sample can be simply computed from the 
probability distribution governing lying.) 

However, a pure RRT by itself is not well suited for all types of polls. E.g., it is be- 
lieved that people are more likely to vote for somebody who leads the polls than some- 
body who is behind. Therefore, it could be politically valuable not to lie (as required by 
the protocol) in polls relating to one’s political opinion, and therefore have one’s “vote” 
assigned a greater weight. (This is the case since people with the opposite opinion — if 
honestly following the protocol — will sometimes cast a vote according to your opinion, 
but you would never cast a vote according to their opinion, assuming you are willing 
to cheat.) While the results of the poll remain meaningful if everybody cheats (i.e., tells 
the truth with a probability different from that specified by the protocol), this is not the 
case when only some people deviate from the desired behavior. Also, while one might 
say that the increased weight in the polls is gained at the price of the cheater’s privacy, 
this is not necessarily the case if the cheater claims to have followed the protocol, and 
there is no evidence to the contrary. 

To address the problem of cheating respondents in RRT, we propose the notion 
of cryptographic randomized response technique (CRRT), which is a modification of 
RRT that prevents cheating. We present three efficient protocols for CRRT; two of them 
using classic cryptographic methods (and being efficient for different values of pet), and 
one using quantum methods. Importantly, the quantum RRT protocol is implementable 
by using contemporary technology. We give rigorous proofs of security for one of the 
classical protocols and for the quantum protocol. 

For all of our proposed solutions, the privacy of the respondent will be guaranteed 
information-theoretically (more precisely, statistically). This is appropriate to stimulate 
truthful feedback on topics that may affect the respondent for years, if not decades. 
All proposed solutions also guarantee that the respondents reply based on the desired 
probability distributions. Clearly, this requires that the respondent cannot determine the 
outcome of the protocol (as viewed by the interviewer) before the end of the protocol. 
Otherwise, he could simply halt the execution of the protocol to suppress answers in 
which the communicated opinion was a lie. We will therefore require protocols to offer 
privacy for the interviewer as well as for the respondent, meaning that the respondent 
cannot learn what the outcome of the protocol is, as seen by the interviewer. (One could 
relax this requirement slightly to allow the respondent to learn the outcome at the same 
time as the interviewer does, or afterward.) 
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While we believe that it is important to prevent the respondent from biasing the 
outcome by selective halting (corresponding to the protocol being strongly secure), we 
also describe simplified versions of our protocols in which this protection mechanism 
is not available. Such simplified versions (which we refer to as weakly secure) can still 
be useful in some situations. They may, for example, be used as the default scheme for 
a given application — where they would be replaced by their strongly secure relatives 
if too many interactions are halted prematurely. (The decision of when the shift would 
be performed should be based on standard statistical methods, and will not be covered 
herein.) The benefit of considering such dual modes is that the weakly secure versions 
typically are computationally less demanding than the strongly secure versions. 

Finally, we also discuss cryptographic enhancements to two alternative RRT tech- 
niques. In the first, referred to as RRT-IQ, the respondent always gives the truthful 
answer to the question he is presented with. However, with a certain probability, he is 
presented with an Innocous Question instead of the intended question. A second alter- 
native RRT technique is what is referred to as polychotomous RRT. In this version of 
RRT, the respondent is given more than two possible options per question. 

Other Applications. Our first protocol uses a novel protocol for information- 
theoretically secure verifiable oblivious transfer that enables easier zero-knowledge 
proofs on the properties of the transferred values. The new verifiable oblivious transfer 
protocol may also be useful in other applications. While our main designated appli- 
cation is polling, our techniques have also several other applications, in particular in 
the privacy-preserving data-mining. They are also related to several fundamental cryp- 
tographic problems. For example, our protocols Wagner’s technique are also efficient 
implementations of the verifiable binary symmetric channel. (See Section 3.) 

New Verifiable Commitment Scheme. One of our RRT protocols uses a novel (and as 
far as we know, the first) two-round verifiable commitment scheme based on the (non- 
verifiable) commitment scheme by Naor and Pinkas [NPOl]. Verifiable commitment 
schemes have a huge range of applications."^ 

Outline. We first review the details of the randomized response technique (Section 2), 
after which we review some related work in cryptography (Section 3). We then intro- 
duce the cryptographic building blocks of our protocols (Section 4). We then describe 
the functionality of our desired solution in terms of functional black boxes and protocol 
requirements (Section 5). In Section 6, we present our secure CRRT protocols. In Sec- 
tion 7 we describe cryptographic solutions to other variants of the standard RRT. The 
appendix contains additional information about the new oblivious transfer protocol and 
about the quantum RRT protocol. 

2 Short Review of Randomized Response Technique 

When polling on sensitive issues like sexual behavior or tax evasion, respondents of- 
ten deny their stigmatizing behavior due to the natural concern about their privacy. In 

Slightly more efficient and recent verifiable commitment schemes that draw ideas from this 
paper were proposed by the third author in [Lip03h]. The new schemes can be seamlessly 
plugged into our first RRT protocol. 
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1965, Warner [War65] proposed the Randomized Response Technique (RRT) for or- 
ganization of polls where an unbiased estimator (UE, defined in any standard statistics 
textbook) to the summatory information — the proportion of people belonging to a stig- 
matizing group A — can be recovered, while the privacy of every individual respondent 
is protected statistically. Since then, different variations of the RRT have been proposed 
in statistics, see [CM88] for a survey. These different variations provide, for exam- 
ple, smaller variance, smaller privacy breaches, optimality under different definitions 
of privacy, and ability to answer polychotomous questions. Next we will give a short 
overview of three types of RRT. 

RRT-W. In Wagner’s original method (RRT-W), the respondents provide a truthful 
answer to the question “Do you belong to a stigmatizing group Al” with a certain 
fixed and publicly known probability pct > 1/2- With probability 1 — pct they lie — 
i.e., answer the opposite question. Define it a to be the true proportion of the pop- 
ulation that belongs to A (or whose type is t = 1). Let pyes be the proportion of 
“yes” responses in the poll. In RRT-W, the a priori probability of getting a “yes” 
response is pyes = Pct • + (1 — Pct)(l — t^a)- In the case of N players, L of 

which answer “yes”, an UE of pyes is p^ = L/N , the sample proportion of “yes” 
answers. From this, one can simply compute the unbiased estimator of tt^. This equals 
^ _ 2 pl^i + W ■ ( 2 p !-i) • Similarly, the variance var^TTA) and its UE 

can be computed. 

RRT-IQ. An alternative RRT is the innocuous question method (RRT-IQ), first analyzed 
in [GASH69]. When using RRT-IQ, the respondent answers the sensitive question with 
a probability pct, while with probability 1 — pct to an unrelated and innocuous question, 
such as “Flip a coin. Did you get tails?”. The RRT-IQ achieves the same goals as RRT- 
W but with less variance [CM88], which makes it more suitable for practical polling. 
Many other RRT-IQs are known, including some with unknown estimate of the the 
proportion of the population belonging to the innocuous group. 

PRRT. The RRTs for dichotomous polling (where the answer is yes or no) can be 
generalized to polychotomous RRT (PRRT) where the respondent can belong to one 
of the m mutually exclusive groups Ai, . . . , Am, some of which are stigmatizing. A 
typical sensitive question of this kind is “When did you have your first child?”, with an- 
swers “1 — while not married”, “2 — within 9 months after the wedding” and “3 — more 
than 9 months after the wedding”. In many cultures, the answer 1 is stigmatizing, the 
answer 3 is innocuous, while the answer 2 is somewhere inbetween. The interviewer 
wants to know an UE for the proportion of people who belong to the group Ai, 
i € There are many possible PRRTs [CM88, Chapter 3]. One of the simplest 

is the following technique PRRT-BD by Bourke and Dalenius [CM88]: first fix the 
probabilities Pct and pi, ... such that pct + m]P* = 1 . A respondent either 
reveals her true type t G [1, m] with probability pct, or answers i G [1, m] with prob- 
ability Pi. To recover an UE of tt := (tti, . . . , define p := (pi, . . . ,Pm)’^ and 

Pans = (Pansi , • ■ • j Pans where Pans is the proportion of people who answer i. Then 
Pans = Pct • TT + p, and hence if = p^^ • (^s - p)- 
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3 Related Cryptographic Work 



In [KANG99], Kikuchi et al. propose techniques with similar goals as ours. Unaware 
of the previous work on RRT, the authors reinvent this notion, and propose a protocol 
for performing the data exchange. However, their protocol is considerably less efficient 
than ours. Also, it does not offer strong security in our sense. This vulnerability makes 
their protocol unsuitable for their main application (voting), as well as polls where re- 
spondents may wish to bias their answer. Our protocols can be used in their framework. 

The cryptographic RRT-W protocol can be seen as an implementation of an verifi- 
able BSC, based on either verifiable oblivious transfer or more generally on a suitable 
commitment scheme. (Protocols for other RRTs implement even more complex chan- 
nels.) Crepeau and Kilian have showed how to construct (nonverifiable) oblivious trans- 
fer protocols and commitment schemes from a (nonverifiable) BSC [CK88, Cre97], but 
their opposite reductions are less efficient. 

There is a very close relationship between our protocols and protocols for oblivious 
transfer and for the fractional oblivious transfer [BR99]. While our goals are orthog- 
onal to those of oblivious transfer, the techniques are hauntingly similar. In particular, 
one of our CRRT protocols uses a protocol for oblivious transfer as a building block. 
While in principle any such protocol can be used, it is clear that the properties of the 
building block will be inherited by the main protocol. Therefore, in order to provide 
unconditional guarantees of privacy for the respondents, we use a verifiable variant of 
the information theoretic protocol for oblivious transfer, namely that proposed by Naor 
and Pinkas [NPOl]. We leave it as an open question whether the fractional oblivious 
transfer protocols of [BR99] (that essentially implement verifiable erasure channel) can 
be modified to work in our scenario (where we need to implement verifiable BSC in the 
case of RRT-W and related information channels without erasure in the case of other 
RRT protocols) or our protocols can be modified to work in their scenario; at least the 
first seems clearly not to be the case. 

Furthermore, our work is related to the work on Private Information Retrieval (PIR) 
in that the goal of our interviewer is to retrieve some element from the respondent, with- 
out the latter learning what was retrieved. More specifically, if some £ out of n elements 
represent the respondent’s opinion, and the remaining n — £ elements represent the op- 
posite opinion, then the interviewer will learn the respondent’s opinion with probability 
f/n if he retrieves a random element. Of course, in order to guarantee the interviewer 
that the elements are correctly formed, additional mechanisms are required. 

In privacy-preserving data-mining a related data randomization approach has been 
proposed: namely, the users input their data to the central database (e.g., a loyal cus- 
tomer inputs the name of the product he bought), and the database maintainer needs to 
do some statistical analysis on the database. However, the maintainer should not be able 
to recover individual items. Database randomization in the case when the maintainer is 
limited to the SUM function corresponds exactly to the RRT. For the same reasons as 
in the RRT, one should not be able to bias the data. Our protocols are also applicable in 
the privacy-preserving data-mining. 
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4 Cryptographic Building Blocks 

Define [o, b] := {a, a + 1, . . . , 6 — 1, 6}. In the rest of this section we present some 
cryptographic building blocks that will be used in our CRRT protocols. Throughout 
this paper, assume that p is a large prime, and q, q \ (p — 1), is another prime. Then 
Z* has a unique subgroup G of order q. Let g and h be two generators of G, such 
that nobody knows their mutual discrete logarithms log^ h and log^ g. We let k be the 
security parameter, in our setting we can take k = q.\n the next two protocols (the 
Pedersen’s commitment scheme and the Naor-Pinkas oblivious transfer protocol), the 
key K consists of public parameters, K := (g; h). 

Pedersen’s Commitment Scheme. In this scheme [Ped91], a message g GZqis com- 
mitted by drawing a random p Zg, and setting Ck{p', p) '■= g^h^. The commit- 
ment can be opened by sending p and p to the verifier. This scheme is homomorphic, 
i.e., Ck{p; p)Ck{p'; p') = Ck{p + p'; p + p'). Since it is also perfectly hiding and 
computationally binding, it can be used as a building block in efficient zero-knowledge 
arguments, such as protocols for arguing the knowledge of plaintext p. 

Verifiable 1-out-of-n Oblivious Transfer. In an (^) -oblivious transfer (OT) protocol, 
the sender TZ has private input p = {pi , . . . , /i„) C M” (and no private output) for 
some set M, while the chooser 2 has private input a G [1, n] and private output p^-. The 
oblivious transfer (OT) protocol by Naor and Pinkas [NPOl] guarantees information- 
theoretic privacy for TZ, and computational privacy for X. Intuitively, the in the Naor- 
Pinkas protocol, the sender oblivious-transfers one encryption key that is used to 
encrypt the actual database element p^. The Naor and Pinkas [NPOl] paper does not 
specify the encryption method, mentioning only that the encryption scheme must be 
semantically secure. 

We propose to use Pedersen’s commitment scheme instead of an encryption scheme. 
Let K = {g; h) be the public key of the commitment scheme. The proposed variant of 
the Naor-Pinkas protocol works as follows: 

1. X generates random a,b ^ Zq and sends {A, B, C) ^ (g“, g'^, gab-a+i'j 

2. TZ performs the following, for i G [1, n]: Generate random (rj, Si). Compute Wi ^ 
g^ , compute an encryption yi ^ CK{pi', Vi mod q), where Vi ^ {G ■ 
g^~'^y . Send (wi,yi) toX. 

3. X computes w^{= v^) and recovers g^ y^jh™ . 

We denote this version of Naor-Pinkas protocol, where yi is defined as yi = CxiiJ'i, Vi), 
by (^)-OT/f (/r; cr). As the end of this protocol, the verifier obtains commitments of all 
elements pi. Thus, the sender can argue in zero-knowledge for all i G [1, n] that the 
values Pi satisfy some required conditions. We call such an OT protocol verifiable. 
(See [Lip03b] for a more precise definition.) X can “decrypt” y^ with the “key” v^, 
given that the possible message space M is small enough for the exhaustive search on 
the set {g^ : x G M} to be practical. In the case of dichotomous RRT, M = {0, 1}. 

We define the sender privacy of an oblivious transfer protocol as follows. The 
chooser X* chooses cr and two different vectors, /r[l] = . . . , G M" 

and /x[2] = . . . , G M", such that /i[l]cr = /i[2]o-. Denote an X* that has 
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made such choices by /i[2]). He submits both tuples to the responder, who flips 

a fair coin b [1, 2]. After that, the chooser and the responder execute the protocol 
(^)-OTk(/x[&]; a). After receiving I* guesses the value of b. Let Adv^'^(X*, 7^) 
be the probability that X* guesses the correct b, where probability is taken over the in- 
ternal coin tosses of X* and TZ. We say that the oblivious transfer protocol is e-sender- 
private, if for any unbounded algorithm X* , Ad (X* ,Ti) < e. 

Theorem 1. Let •) be the described oblivious transfer protocol, (a) If a 

malicious TZ* can guess the value of a with advantage e, then he can solve the Deci- 
sional Diffie Heilman (DDH) problem with the same probability and in approximately 
the same time, (b) This protocol is (to — d){m — l)/q < to(to — 1) / q-sender-private, 
where d := q mod to and m := \M\. 

The security proof is omitted from this extended abstract due to the space constraints. 

Zero-Knowledge Arguments. We will use zero-knowledge arguments (and not proofs) 
of knowledge in our protocol, since they are at the very least statistically hiding and 
computationally convincing. This property is important in a setting where a verifier 
must not be able to extract additional information even if he is given infinite time. 

Our first protocol uses only two very standard statistical zero-knowledge arguments. 
The first one is an argument that a given value yi (Pedersen-)commits to a Boolean 
value Hi G {0,1}. One can use standard disjunctive proofs for this. We denote the (pos- 
sibly parallelized) argument that this holds for i G [1, n] by AKEncBool(yi, . . . , ?/„). 
The second argument of knowledge, AKLin(j/i, . . . , a, b), is an argument that the 
prover knows some set of values pi, for which yi is a commitment of pi, and such that 
J2i<n Ti + tipn-vi = b. This argument of knowledge can be constructed from Peder- 
sen’s commitment scheme by computing y ^ rii<n Vi ' Vn-\-i arguing that the 

result y is a commitment to b. Note that such an argument of knowledge is secure only 
when accompanied by zero-knowledge arguments of knowledge of the values pp, for 
this purpose, we employ AKEncBool(yi, . . . , y„+i) as described above. 



5 Security Definitions 

Next, we will give the definition of a weakly and strongly secure cryptographic RRT 
(CRRT). The security definitions will be in accordance with the ones in secure two- 
party computation. We will also explain why these requirements are relevant in the case 
of CRRT. 

Assume we have a concrete variant of RRT, like RRT-W or RRT-IQ. Let <Pp be the 
function that implements the desired functionality. For example, in the case of RRT-W, 
<Pp^ {x) is a randomized function that with probability pct returns x, and with prob- 
ability 1 — Pet returns 1 — x. The ideal-world CRRT protocol, has three parties, the 
interviewer X, the respondent TZ, and the trusted third party T. TZ has her type, t-j^ as 
her private input, while X has no private input. Then, TZ communicates t-jz to T, who 
selects the value r-jz ^ ^pai^Tz) and sends r-jz to X. After that, the private output of 
X will be T>p^{tTz), while TZ will have no private output. It is required that at the end 
of the protocol, the participants will have no information about the private inputs and 
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outputs of their partners, except for what can be deduced from their own private inputs 
and outputs. In particular, X (resp. TZ) has no information about the value of t-ji (resp. 
r-Tz), except what they can deduce from their private inputs and outputs. 

In an ideal world, exactly the next three types of attacks are possible: a party can 
(a) refuse to participate in the protocol; (b) substitute his private input to the trusted 
third party with a different value; or (c) abort the protocol prematurely. In our case, the 
attack (c) is irrelevant, since TZ has no output. (Attack (c) models the case when the first 
party halts the protocol after receiving his private output but before the second party 
has enough information to compute her output.) Therefore, in an ideal-world RRT pro- 
tocol, we cannot protect against a participant, who (a) refuses to participate in polling 
(non-participation attack) or (b) claims that her type is 1 — t-jz, where tn is her real 
type (absolute denial attack). No other attacks should be possible. Note that neither 
(a) nor (b) is traditionally considered an attack in the context of polling or voting. The 
argument here is game-theoretic, and the solutions must be proposed by mechanism 
design, instead of cryptography: namely, a non-manipulable mechanism (e.g., the algo- 
rithm with which the election winner is determined from all the collected votes) must 
be designed so that answering against one’s true type (or non-participation) would not 
give more beneficial results to the respondent than the truthful answer. 

On the other hand, as we stated, no other attacks should be allowed. This require- 
ment is very strict, so we will explain why it is necessary in the RRT’s context. Clearly, 
one must protect the privacy of TZ, since this is the primarily goal of a RRT. It is also 
necessary to protect the privacy of X, although the reason here is more subtle. Namely, 
if TZ obtains any additional information about r-jz before the end of the protocol (for 
example, if she suspects that rn ^ t-jz), she might halt the protocol. Such a behavior by 
a malicious respondent might cause a bias in the poll, as already explained. (Halting the 
protocol while having no information on r-jz is equivalent to the non-participation at- 
tack.) The third requirement on the protocol, of course, is that X either halts or receives 

(2^)> where x is the input submitted by the TZ. 

In a real-world implementation, we want to replace T by a cryptographic protocol 
n = (TZ, X) between TZ and X. This protocol (TZ, X) is assumed to be “indistinguish- 
able” from the ideal-world protocol, that is, with a high probability, it should be secure 
against all attacks that do not involve attacks (a) or (b). “Secure” means that the privacy 
of TZ (resp. X) must be protected, if TZ (resp. X) follows the protocol, and that X either 
halts, or receives the value (x), where x was the submitted value of TZ. The security 
of the respondent should be information-theoretical, while the security of interviewer 
can be computational. That is, a secure CRRT-W protocol must have the next three 
properties (here, k is the security parameter): 

Privacy of Respondent: Let I* be an algorithm. After the end of the protocol execution 
(TZ, X*),X* will have no more information on t-jz than it would have had after the execu- 
tion of the ideal world protocol. That is, assuming that viewx* is his view of the protocol 
(TZ,X*), define (TZ,X*) := |Pr[J*(viewx* , r^) = tn] ~ Pr[tn\rn]\ , where 

the probability is taken over the internal coin tosses of X* and TZ. We say that a CRRT 
protocol is privacy-preserving for the respondent, if Adv'^'~fTZ,X*) is negligible (in 
k) for any unbounded adversary X* . 
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Privacy of Interviewer: Let TZ* be an algorithm. Assume that X halts when TZ* halts. 
After the end of the protocol execution {TZ*,X), TZ* will have no more information 
on t-jz than it would have had after the execution of the ideal world protocol. That is, 
assuming that viewT^. is her view of the protocol {X,TZ*), define Adv^'^'~'(7^*,X) := 
|Pr[7^* (view^. , t-jz) = r-jz] — Pr[7^* {t-jz) = '^n] \ , where the probability is taken over 
the internal coin tosses of TZ* and I. We say that a CRRT protocol is privacy-preserving 
for the interviewer, if for any advsisary TZ* , if {TZ* ,X) < sand 7^* takesr steps 

of computation then er is negligible (in k). 

Correctness: Let TZ*{x) be an algorithm with private input x to the protocol {TZ* ,X). 
Assume that I halts when TZ* halts. We require that at the end of the protocol execution 
{TZ* , I), I will either halt, or otherwise receive T>p^{x) with high probability. That 
is, assuming that viewx is X’s view of the protocol {TZ* ,X), define Advf'^^ {TZ* ,X) := 
1 — Pr[X(viewx) = T>p^{x)\X does not halt] , where the probability is taken over the 
internal coin tosses of X and TZ*. We say that a CRRT protocol is correct, if for any 
adversary TZ*, if Adv^'^'^* (7^* , X) = £ and TZ* takes up to t steps of computation then 
£T is negligible (in k). 

We call a cryptographic RRT (CRRT) protocol weakly secure if it is privacy- 
preserving for the respondent and correct. We call CRRT protocol (strongly) secure 
if it is weakly secure and it is privacy-preserving for the interviewer. While a secure 
CRRT protocol is preferable in many situations, there are settings where a weakly se- 
cure CRRT protocol suffices, such as where halting can be easily detected and punished, 
or means for state recovery prevent modifications between a first and second attempt of 
executing the protocol. 



6 Cryptographic RRT 



We will propose three different CRRT-W protocols. In the first two protocols, the com- 
mon parameters ar& p^ = Ijn > fj2 for £, n G Z; generators g and h whose mutual 
discrete logs are unknown (at least by TZf, and K = {g;h).TZ has private input t = t-jz, 
and X’s private output is r-jz- 

CRRT Protocol Based on Oblivious Transfer. Our first implementation of RRT-W 
is described in Protocol 1 . The arguments of knowledge can be efficiently constructed, 
see Sect. 4. Here, we can use AKLin(j/i, . . . , 2£ — n; £) since X)i<n Ai + (2^ — 

= £ independently of the value of t. All the steps in this protocol must be 
authenticated. 

If we take the number of bits that must be committed as the efficiency measure 
(communication complexity of the protocol), then our protocol has complexity 0{n). 
In the polling application, one can most probably assume that n < 5. The security 
proofs of this protocol follow directly from the properties of underlying primitives. As 
a direct corollary from Theorem 1, we get that Protocol 1 is privacy-preserving for re- 
spondent (Adv^'^'~'^(7?,,X*) < 2/q + 0{l/g), where the constant comes in from the 
use of statistically-hiding zero-knowledge arguments). It is privacy preserving for in- 
terviewer, given the Decisional Diffie-Hellman (DDH) assumption. The correctness of 
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Precomputation step: 

1. TZ prepares n random bits jj.i (E {0, 1} for i € [1, n], such that J]] /li = £ if f = 1 and 

= n — i if t — 0. Additionally, she sets /i„+i <— 1 — f. 

2. I chooses an index a G [1, n]. 

Interactive STEP: 

1 . T and TZ follow ( -OT , ■ ■ ■ , obtains g^ , and computes /io- from that. 

2. 7Z performs zero-knowledge arguments AKEncBool(yi, . . . , j/n+i) and 
AKLin(yi, . . . , j/n+i; 2^ — n; 1) with X as the verifier. 

3. X halts if the verification fails. 

Protocol 1: A secure CRRT-W protocol based on oblivious transfer 



this protocol follows from the properties of the zero-knowledge arguments used under 
the DDH assumption. 

In a simplified weakly secure protocol based on the same idea, TZ commits 
to all /Xi by computing and publishing yi ^ Cxifi'i', Pi)- Next, TZ argues that 
AKEncBool(t/i, . . . , yn+i), and AKLin(j/i, . . . , yn+i', 2^ — n; £). After that, X sends 
a to TZ, who then reveals p-a and p^. Upon obtaining these, I verifies the correctness of 
the previous corresponding commitment, outputting p„ . 

CRRT from Coin-Flipping. Protocol 2 depicts a secure CRRT-W protocol with com- 
munication complexity 0 (c?log 2 n), where d := [1/(1 — Pct)l . andpct = ^/nas previ- 
ously. While in the common RRT application one can usually assume that n is relatively 
small, this second protocol is useful in some specific game-theoretic applications where 
for the best outcome, pct must have a very specific value. The idea behind this protocol 
is that at least one of the integers p + u + i£ mod n must be in interval [0,^—1], and at 
least one of them must be in interval [£, n — 1] . Hence, I gets necessary proofs for both 
the 0 and the 1 answer, which is sufficient for his goal. For his choice to be accepted, 
he must accompany the corresponding r with TZ-s signature on his commitment on a. 



Precomputation step: 

1. TZ chooses a random p [0, n — 1]. 

2. X chooses random u [0, n — 1] and a ^r [0, d — 1\. 

Interactive STEP: 

1 . TZ commits to t and p, and sends the commitments to X. 

2. X commits to a, by setting y ^ Ck{o", p) for some random p. He sends v and y to TZ, 
together with a zero-knowledge argument that t/ is a commitment of some i G [0, d — 1]. 

3. TZ verifies the argument. She computes values p), for i G [0, d — 1], such that p) = t <^= 

{p + u + il mod n) < i. She signs y, and sends her signature together with {p)} and 
the next zero-knowledge argument for every i G [0, d — 1]: [p) = t {p + u + il 

mod n) < P\. 

4. After that, X sets r-R ^ p'^. He will accompany this with TZ-s signature on the 
commitment, so that both TZ and third parties can verify it. 



Protocol 2: A secure CRRT-W protocol based on coin-flipping 









Cryptographic Randomized Response Techniques 435 



Precomputation step: 

1. T chooses random uo [0, 1], wi ^r [0, 1]. He generates quantum states |i/)o) = 
V^|wo) + VI - Pct|l - Mo), IVl) = V^l^l) + VI -Pct|l - Ml). 

2. TZ chooses a random i ^r [0, 1]. 

Interactive STEP: 

1. X sends |Vo) and |Vi) to TZ. 

2. TZ sends i to X. 

3. X sends Ui to TZ. 

4. TZ measures the state |Vi) in the basis |i/)u ) = ^/Pa\ui) + VI ~ Pct|l — Ui), |Vu ) = 

VI — Pct|Mi) — — Ui) and halts if the result is not |i/)u )• 

5. If the verification is passed, TZ performs the transformation |0) ^ |l), 1 1) ^ 1 1 — f) on 
the state |i/>i-i) and sends it back to X. 

6. X measures the state in the basis |0), 1 1), gets outcome s. X outputs r <— Mi © s. 



Protocol 3: A quantum CRRT-W protocol. 



A weakly secure version of this protocol is especially efficient. There, one should 
set c? ^ 1, and omit the steps in Protocol 2 that depend on cr being greater than 1. 
(E.g., there is no need to commit to cr anymore.) Thus, such a protocol would have 
communication complexity 6>(log2 n). Now, pct > 1/2 (otherwise one could just do a 
hit-flip on fhe answers), and hence d > 2. On fhe ofher hand, fhe privacy of respondents 
is in danger if say pct > 3 /4. Thus, we may assume that d G [3,4]. Therefore, Protocol 2 
will be more communication-efficient than Protocol 1 as soon as n/ log2 n > 4 > ci, or 
n > 16. The weakly secure version will be always more communication-efficient. 

This protocol is especially efficient if the used commitment scheme is an integer 
commitment scheme. In this case, to argue that (^ + u + mod n) < £ one only 
must do the next two simple steps: first, argue that ii+i^ + i£ = z + en for some z, 
e, and then, argue that z € [0,^ — 1]. This can be done efficiently by using the range 
proofs from [Lip03a]. One can also use Pedersen’s scheme, but this would result in 
more complicated arguments. 

Quantum-Cryptographic RRT. The next quantum CRRT protocol (see Protocol 3) 
works also for irrational pct, and provides a relaxed form of information- theoretic se- 
curity to both parties. While not secure by our previous dehnitions, it provides mean- 
ingfully low bounds on the probabilities of success for a cheater. Namely, (a) if dis- 
honest, TZ cannot make his vote count as more than \/2 votes: if Pct = 5 + then 
Padv < 5 + v/ 2£ (The full version of this paper has a slightly better bound with a 
more complicated expression forpadv). (b) if dishonest strategy allows I to learn t with 
probability pct + £, it also leads to I being caught cheating with probability at least 
This form of security (information-theoretic security with relaxed definitions) 
is common for quantum protocols for tasks like bit commitment or coin flipping. The 
security guarantees of our quantum protocol compare quite well to ones achieved for 
those tasks. A desirable property of this quantum protocol is that it can be implemented 
by using contemporary technology, since it only involves transmitting and measuring 
single qubits, and no maintaining of coherent multi-qubit states. 
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To show the main ideas behind quantum protocol, we now show how to analyze a 
simplified version of protocol 3. The security proof for the full protocol is quite com- 
plicated and will be given in the full version of this paper. 

The simplified version of Protocol 3 is: (1) X chooses a random u [0, 1], pre- 
pares a quantum bit in the state |^/>„) = y/p^\u) + — Pct|l — u) and sends it to TZ\ 

(2) TZ performs a bit flip if her type t = 1, and sends the quantum bit back to X; (3) 
I measures the state in the computational basis |0), |1), gets answer s. The answer is 
r = M 0 s. If both parties are honest, the state returned by respondent is unchanged: 
+ VI -Pct|l - u) if f = 0 and - u) 0 if f = 1. Mea- 

suring this state gives the correct answer with probability 1 — Pct- Next, we show that 
respondent is unable to misuse this protocol. 

Theorem 2. For any respondent’s strategy TZ*, the probability of honest interviewer X 
getting r = lis between 1 — Pct andpcx- Therefore, the previous protocol is both correct 
and privacy-preserving for the interviewer. 

Proof. We show that the probability of r = 1 is at most p^t. The other direction is 
similar. We first modify the (simplified) protocol by making TZ* to measure the state 
and send the measured result to X, this does not change the result of the honest protocol 
since the measurement remains the same. Also, any cheating strategy for TZ* in the 
original protocol can be used in the new protocol as well. So, it is sufficient to bound 
the probability of r = 1 in the new protocol. The answer is r = 1 if X sent | Vi) and TZ* 
sends back j, with i = j. By a well-known fact, the maximum success probability with 
what one can distinguish two qubits is 1/2 0 sin/3/2, where /3 is the angle between 
two qubits. The rest is a calculation: to determine the angle /3 between |Vo) and \tpi), 
it suffices to determine the inner product which is sin /3 = 2^ypct{l — Pcf)- Therefore, 
cos (3 = a/ 1 — sin^ (3 = 2pd — 1 and i 0 = p^. □ 

On the other hand, when using this simplified version, a dishonest interviewer X* can 
always learn t with probability 1. Namely, it suffices fo send fhe sfafe |0). If f = 0, 
TZ sends |0) back unchanged. If f = 1, 7^ applies a bif flip. The state becomes |1). X 
can then distinguish |0) from |1) with certainty by a measurement in the computational 
basis. 

Note that this is similar to a classical “protocol”, where X first generates a random u 
and sends a bit i that is equal to u with probability pct and 1 — u with probability 1 — Pct- 
TZ then flips the bit if f = 1 and sends it back unchanged if f = 0. The interviewer 
XORs it with u, getting t with probability pct and \ — t with probability 1 — Pct- In 
this ’’protocol”, TZ can never cheat. However, X* can learn t with probability 1 by just 
remembering i and XORing the answer with i instead of u. In the classical world, this 
flaw is falal because X cannof prove fhat he has generated i from fhe correcf probabilify 
distribution and has not kept a copy of i for himself. In the quantum case, X can prove 
to TZ that he has correctly prepared the quantum state. Then, we get Protocol 3 with 
X sending two states |Vuo) nnd |V«i)> one of which is verified and the other is used 
for transmitting t. A detailed analysis of this protocol is omitted from this extended 
abstract. 
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7 Protocols for Other RRTs and Extensions 



Protocol for Cryptographic RRT-IQ. Recall that in one version of RRT-IQ, the re- 
spondent would reply with his true opinion t-jz with a rational probability pct = 
while he would otherwise flip a coin and answer whether it came up tails. Like for 
CRRT-W, it is important to guarantee the use of correct distributions. Protocol 1 can be 
easily changed to work for this version of RRT-IQ. Instead of n random bits, TZ pre- 
pares 2n random bits Hi, so that either X)r=i ^ ^ ~ J2‘i2n+i ~ 

or ^ ~ Sr=i ~ Standard techniques to 

prove that the bits were prepared correctly, after which J chooses one of the 2n bits by 
using the verifiable oblivious transfer protocol. (Here, of course, n must be even.) 

Protocol for Cryptographic PRRT-BD. The next protocol is a modification of Pro- 
tocol 1 as well. Let pi be such that pct + ~ assume that every 

respondent has a type t-jz G [1, w]. Assume pct = ^In, pi = tijn and that pi = 0 if 
i ^ [1, m]. Assume D > max(f, fi, . . . , + 1- The respondent prepares n numbers 

, such that f{i : pi = t^z} = d-tT^ + and [|{z : pi = j} = if j ^ tTz- Then the 
interviewer and respondent will execute a variant of OT with choice a, during which 
the interviewer only gets to know the value p^. Then the respondent argues that the sum 
of all commitments is a commitment to the value ^ + £D^, for some j G [1, m], 

by using range-proofs in exponents [LAN02]. (A more efficient proof methodology 
is available when D is a prime [LAN02], given that one uses an integer commitment 
scheme.) Additionally, she argues that every single commitment corresponds to a value 
I?* fori G [1, to], also using range-proofs of exponents [LAN02]. After the OT step, the 
interviewer gets , and recovers p„ from it efficiently. (Note that to < 10 is typical 
in the context of polling.) 

Extensions to Hierarchies of Interviewers. One can consider a hierarchy of interview- 
ers, reporting to some central authority. If there is a trust relationship between these two 
types of parties, no changes to our protocol would be required. However, if the cen- 
tral authority would like to be able to avoid having to trust interviewers, the following 
modifications could be performed. First, each respondent would have to authenticate 
the transcript he generates, whether with a standard signature scheme, a group signa- 
ture scheme, etc. Second, and in order to prevent collusions between interviewers and 
respondents, the interviewers must not be allowed to know the choice a made in a 
particular interview. Thus, the triple {A, B, C) normally generated by the interviewer 
during the Naor-Pinkas OT protocol would instead have to be generated by the central 
authority, and kept secret by the same. More efficient versions of proxy OT satisfying 
our other requirements are beneficial for this application. 

Full version. Due to the space constraints, we had to omit the security proof of the 
new verifiable oblivious transfer protocol and a detailed analysis of the quantum RRT 
protocol. The full version of this paper is available from the lACR eprint archive. 
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Abstract. A mix network achieving strong correctness and privacy is 
proposed. The degree of correctness and privacy are precisely stated and 
a formal proof of correctness is given. A grouping function is employed 
to achieve stronger correctness and higher efficiency without compromis- 
ing strong privacy. In order to further improve the efficiency of the mix 
network a new batch verification technique, suitable for verifying mul- 
tiple proofs of knowledge, is presented together with a formal proof of 
soundness. 



Keywords: re-encryption mix network, shuffling, batch verification 

1 Introduction 

Mix networks are important tools to implement anonymity and are widely em- 
ployed in many cryptographic applications such as e- voting and e-auctions. Since 
the original proposal of Chaum [6] many mix networks have been proposed in the 
research literature. However, most of them are inefficient, vulnerable, or limited 
to some special applications. Abe [1] introduced the idea of improving efficiency 
by dividing a costly large-scale verification operation into a few efficient small- 
scale verification operations. In this paper, we use Abe’s idea in a new way to 
design a mix network with several novel features and avoiding some shortcomings 
of Abe’s scheme. Our final proposal is simpler and more efficient than Abe’s mix 
network, and also more efficient than other mix networks employing verification 
of shuffling on each server (e.g. [8, 14, 10]), especially when a large number of 
values are shuffled. Unlike other schemes, the new proposal achieves correctness 
and privacy more clearly and precisely. Therefore, our scheme is more suitable 
for many applications. 

We divide the explanation of the new mix network into three stages. First 
a prototype Mix-1 is proposed, which employs a new verification mechanism 
to achieve formally proved correctness. Then Mix-1 is optimised to Mix-2 by 
adopting a grouping function. Compared to Mix-1, Mix-2 improves efficiency, 
strengthens correctness, and maintains strong privacy. Finally, a formally proved 
batch verification technique is applied to optimize Mix-2 to Mix-3, the final 
protocol achieving even higher efficiency. 



F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 439-454, 2004. 
(c) International Association for Cryptologic Research 2004 
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The remainder of this paper is structured as follows. In section 2, previous 
work on mix networks is introduced. In section 3, a new method of correctness 
verification and a new batch verification technique are proposed. In section 4, 
the new mix network is presented. In section 5, security and other properties of 
the proposed mix network are analysed. Section 6 is a conclusion. 

Parameter settings in the remainder of this paper are as follows. 

— Let q and p = 2q+l be large primes. G is the cyclic subgroup of Z* with 
order q. Let g and h be generators of G. ElGamal encryption algorithm is 
applied on G with private key x G Zq and public key {g,y = g^). In this 
paper, when an ElGamal ciphertext (a, b) is presented for decryption, a G G 
and b G G are not checked. If a G Z* and b G Z*, the ciphertext is decrypted 
and the decryption result is only guaranteed to be in Z* . 

— There are n users and m servers in the mix network. The number of honest 
servers is e. If secret sharing is performed among the servers, the threshold 
is t (usually m = 2t+ 1). 

2 Related Work 

A mix network shuffles a number of ciphertext inputs, each from one user, to the 
same number of plaintext outputs, so that 1) the outputs are a permutation of the 
plaintexts of the inputs; 2) the permutation between the inputs and the outputs 
is unknown, so that the users cannot be linked to their outputs. These two 
properties are called correctness and privacy. A mix network achieves robustness 
if it can still work properly in abnormal situations, such as failure of one or more 
switching nodes. A mix network is publicly verifiable if its correctness can be 
publicly verified. A mix network is usually composed of a few servers, working 
in sequence. Each server gets its inputs from the previous server and randomly 
permutes them to a set of outputs, which are inputs to the next server. 

According to the processing performed by the servers, mix networks can be 
classified into two types: decryption chain mix networks and re-encryption mix 
networks. In the former type each input is sequentially encrypted for each server 
by the user. Gonsequently failure of any server means that the input message 
cannot be recovered if each server keeps his private key secret as required to 
achieve strong privacy. Therefore decryption chain mix networks inherently lack 
robustness. Only re-encryption mix networks are discussed further in this paper. 

Ogata et al. [15], introduced a basic structure for re-encryption mix net- 
works, which was further developed in many later papers. Suppose ElGamal 
encryption scheme is employed with private key x and public key {g,y = g^). 
Several decrypting authorities share x by t-out-of-m threshold verifiable se- 
cret sharing. The m servers SVj for j = 1,2, ...,m form a mix network to 
shuffle n encrypted inputs Ci for i = l,2,...,n. Inputs to SVj are Cj-ij for 
i = l,2,...,n while coy = Ci for i = l,2,...,n. Outputs of SVj are Cjj for 
i = 1,2, ...,n. On server SVj, input Cj-ij = {aj-\j,bj-ij) is permuted to 
O.vr b) = (i)) = ( 5 ’' ' aj-ij,y'^ ■ bj-ij) where is randomly cho- 

sen and TTj is a secret random permutation of {1, 2, . . . , n}. The outputs of the 
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mix network are c' = Cm,i for i = 1, 2, . . . , n. The shuffling from n inputs to n 
outputs on every server is denoted as PN(n), correctness of which must be ver- 
ified. Finally, the decrypting authorities (e.g. the servers themselves) cooperate 
to decrypt c' for i = 1, 2, . . . , n. 

Mix networks can be further classified into three categories according to the 
different correctness verification mechanisms. 

~ In the first category, correctness is not verified and the servers are trusted to 
perform the shuffling correctly. Ohkubo and Abe [16] designed an example 
in this category. Strong trust is necessary in such a mix network. 

~ Mix networks in the second category do not provide a verification of correct 
shuffling by each server separately. Instead, correctness of the shuffling by 
the whole mix network is verified after the mix network outputs the shuffled 
results in plaintexts. Several published schemes fall into this category [6, 
17, 19, 9]. Drawbacks of this category include 1) a cheating server cannot 
be identified instantly; 2) in case of verification of incorrect shuffling, a mix 
network in the third category must be employed to perform the shuffling 
again; 3) some outputs may be revealed in plaintext even when the shuffling 
is incorrect and a re-shuffling is needed. 

— In the third category [18, 13, 1, 2, 8, 15, 12, 4, 14, 10] each server verifies cor- 
rectness of the previous servers’ shuffling before performing its own shuffling 
and proves that its own shuffling is correct before sending them to the next 
server. Although the schemes in the first two categories are more efficient, 
the third category is still very useful because 

1. it overcomes the shortcomings of the first two categories; 

2. it is a necessary sub- function (to deal with the abnormal situation when 
cheating in the shuffling is found) in the second category. 

However, in this category, various problems exist: [13] is not publicly ver- 
ifiable; the guarantee for correctness and privacy is not strong enough for 
many applications [12, 4]; [1, 2, 15, 18] are inefficient. Among them, three 
recently proposed schemes [8, 14, 10] are best. However, these three schemes 
are still not efficient enough for large-scale applications (e.g. national voting) 
as their computational cost is linear to the number of inputs. 

In the third category, Abe’s scheme [1] has a particularly useful feature which 
is an efficiency improvement on the following naive mix network. Let for 
I = 1,2, ...,n! be all the nl possible permutations for Wj. A naive method to 
verify correctness of shuffling by SVj is to test the following equation. 

fogg ,i(i)/aj-i,i) =fogg (^i,^ for*= 1,2, ...n 

V fogg (ag> , 2 (i)/ai-i.i) = logy (&g> for i = 1, 2, . . . n (1) 

... V fogg (^g,7r ^ i{i) / ~ fogg , i (i) /^j — l,i) fo^^ f ~ 1, 2, . . . TT 

This verification allows correctness to be proved without breaching privacy. Zero 
knowledge proof of 1-out-of-n! equality of logarithms can be applied to imple- 
ment (1), based on the zero knowledge proof of partial knowledge by Cramer et 
al [7]. 
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This test is very inefficient because the computational cost for both the prover 
and verifier on every server is 0(n ■ n\) exponentiations. So Abe improved its 
efficiency by dividing a n-input-to-n-output mixing (denoted as PN{n) in [1]) 
into a few 2-input-to- 2-output mixing (denoted as PN{2) in [1]). However, Abe’s 
schemes are still not efficent enough for many applications. Our proposal is to 
design a re-encryption mix network employing correctness verification per server. 
The new scheme overcomes the shortcomings of Abe’s schemes [1, 2], while re- 
taining the idea that efficiency can be saved by dividing a large-scale correctness 
verification into several small-scale correctness verifications. It achieves higher 
computational efficiency than that of [8, 14, 10] in that the computational cost is 
independent of the number of users, but determined by the extent of correctness 
and privacy required by a certain application. 



3 Preliminary Work 

In this section we introduce the building blocks used to construct our mix net- 
work. We first propose a new method for shuffling verification in a mix network 
and prove that it is sufficient to guarantee validity of the shuffling. Then we 
present a new batch verification technology to improve efficiency of simulta- 
neous proofs of equality of logarithms, which appear in the verification of the 
shuffling. 



3.1 Improvement on the Naive Verification Technique 

Although naive verification by Equation (1) can explicitly guarantee the cor- 
rectness of SVj’s shuffling, it is too inefficient to be practical. A more efficient 
verification technique uses the following equation. 



logg (ajM/aj-i.i) = logj^ V 

logg (oj. a/oj-iy) = logj^ {bj^2lbj-i,i) V ... V 

logg = logj^ (bj^nlbj-i,i) for i = 1,2, . . .n. (2) 

Equation (2) must be proved with zero knowledge proof of 1-out-of-n equality 
of logarithms. The computational cost of proof and verification of this equation 
is n(4n — 2) and 4n^ exponentiations respectively. The zero knowledge proof of 
Equation (2) by SVj is denoted by CV (correctness verification) in the rest of 
this paper. 

It is proved in Theorem 1 that CV enough for the correctness verification. 



Definition 1 SVj{cj-\^g,,Cj^^) = 1 means SVj knows rj^i, satisfying aj^i, = 
g'' • and = y'' • 
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Theorem 1. If the shuffling by SVj is incorrect, CV can he satisfied with a 
probability no more than \/q without collusion of all the previous j — 1 servers 
and at least two users, assuming DL problem is intractable. 

To prove Theorem 1, the following lemma is used. 

Lemma 1. If the shuffling by SVj is incorrect and for every with 1 < 

pi<n there exists some Cj^i, with 1 <v <n such that SVj{cj-\^^,Cj^if) = 1, then 
SVj knows logg aj-ij' — log^ aj-\jn where 1 < i' < i" < n. 

Proof: If the shuffling is incorrect and for every for /i = l,2,...,n, 

there exists a Cj^i, with 1 < ly < n satisfying SVj{cj-\^^,Cj^if) = 1, then there 
must be two inputs Cj-i^^i and Cj_i _^2 satisfying SVj{cj-i^^i,Cj^r) = 1 and 
SVj{cj-i^^ 2 ,Cj^r) = 1 with 1 < T < n. Otherwise there exists a permutation PM 
between the inputs and outputs such that = PM{cj-\^^) if SVj{cj-\^^, Cj^„), 
which is contradictory to the assumption that the shuffling is incorrect. 

SVj{cj-i^^i,Cj^T) = 1 and SVj{cj-i^^ 2 ,Cj^r) = 1 means SVj knows Ai and 
A 2 , so that Qj^r = g^^aj-l,^^l^ bj^r = Oi.r = g^‘^aj- 1^^2 and bj^r = 

Proof of Theorem 1: As SVj cannot get collusion of all the previous j — 
1 servers and at least two users, the inputs to SVj are encrypted randomly 
from the viewpoint of SVj and SVj knows log^Oj-i^i for at most one Cj-ij = 
{aj-ij,bj-ij) where 1 < t < n if DL problem is intractable. So, if the shuffling 
by SVj is incorrect, there exists so that SVj{cj-i^^,Cj^,f) 1 for v = 

1, 2, . . . , n. Otherwise according to Lemma 1 SVj knows log^ Oj-i.i" 

where 1 < i' < i" < n, which is contradictory to the above assumption. So 

logg (oj. = logj^ (6g- V logg (ay2/ai-i,A«) = 
logg {bj,2/bj-i,f,) V ... V logg (ay„/ag_i,^) = log^ 

can be proved in CV with a probability no more than 1/q as proof of equality 
of logarithms in CV implies knowledge of logarithm (without knowledge of the 
logarithm, SVj can only guess the challenge and the success probability of the 
guess is l/q). 

Therefore, CV can be satisfied with a probability no more than l/q. □ 

Even when SVj colludes with all previous j—1 servers and at least two users, 
invalid shuffling of the honest users’ inputs will still be discovered in CV with 
an overwhelmingly large probability. This conclusion is straightforward from the 
proof of Lemma 1. In proof of Lemma 1, it is illustrated that the only possible 
attack against correctness is for a malicious server to collude with two or more 
malicious users and all the previous servers to tamper any of these malicious 
users’ inputs. Since an honest user will not conspire with the malicious server 
and will conceal the randomising factor in his encrypted input, the attack against 
the integrity of his input can only succeed with a negligible probability if DL is 
intractable. Due to space limitations, this conclusion is not proved in detail. 
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3.2 Batch Verification of Equality of Logarithms 

A theorem for batch verification is presented in this section, which extends known 
batch techniques [3, 5, 11]. This technique can batch verify equality of logarithms 
and optimize efficiency of the verification protocol in Section 3.1. Batch verifi- 
cation of equality of logarithms was first mentioned in a voting scheme [18]. 
However, in [18], batch verification is not formally proposed or proved to be 
secure. 

The formal description of batch verification of equality of logarithms is pro- 
vided in Theorem 2, which will be formally proved. 



Definition 2 | | is the absolute-value function from Z* to G defined by 



a if a G G 
—a if a G Z*\G 



Theorem 2. Suppose yi G Z* and Zi G Z* for i = 1, 2, . . . , n. Let I be a security 
parameter and ti satisfying ti < 2^ < q for i = 1,2, ... ,n be random values. If 
there exists v, such that 1 < v < n and log^ |j/i,| yf log;, |z„|, then log^ Y\a=i vl 
logn Uti4 with a probability no less than 1 — 2 K 

To prove Theorem 2, a lemma is proved first. 

Lemma 2. Suppose yi G Z* and Zi G Z* for i = 1,2, ...,n and ti, t 2 , ■■■, 
ty-i, ty+i, tv+ 2 , ■ ■ ■ , tn are constant. Iflogg |y„| yf log;, | 2 ;„| with 1 < v < n and 
logg nr=i vl = nr=i^! , then there is only one possible solution for ty. 

Proof: If the lemma is not correct, the following two equations are satisfied 
simultaneously where log^ |t/„| yf log;, |z„|, ti, t 2 , ... and ty ^ ty. 

n n 

io9g n yi = log/* n 

v—1 n v—1 n 

loggH^* 'yv n =iog/*n^i n 

i—l i—1 

Without losing generality, suppose ty > iy. (3) — (4): 

logg yl "* = log;, zl 

As yy and Zy are members of Z*, there are two possibilities. 

1. yy and Zy are members of G. Then {ty — ty) log^ = {ty — ty) log;, Zy mod q. 

Note that ty — ty ^ 0 mod q because 1 < < 2* < g. Therefore, 

logg Vv = log;, Zy mod q 
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2. yv or Zv G Z*\G. Then tv — U must have a factor 2 and * ^ Vv = 

* 2 * log/i inod q. Note that * ^ mod q because 1 < 4 < < 2^ < 

g. Therefore, log^ yl = log^ zl mod q. Namely log^ |y„| = log^ \zy \ mod q. 

In both cases, logg |j/„| = log^|z„|. That is contradictory to the assumption 

logg |y«| yf logft kv|. □ 

Proof of Theorem 2: Lemma 2 means that among the (2^)” possible combinations 
of ti for i = l,2,...,n, at most (2^)"“^ of them can satisfy loggH^iy! = 
when logg |j/„| yf log^|z„|. So if logg|y„| yf log^|z„| and U for 
i = are randomly chosen, loggOr^iy! = nr=i satisfied 

with probability no more than 2“b □ 

4 The Proposed Mix Network 

When the server SVj performs ElGamal re-encryption and permutation tTj and 
Equation (2) is employed to verify the correctness of shuffling, the following 
properties are achieved. 

1. A dishonest server SVj can prove its incorrect shuffling to be correct with 
probability no more than 1/g without collusion of all the previous j — 1 
servers and at least two users. Even when SVj colludes with all the previous 
j — 1 servers and at least two users, invalid shuffling of honest users’ inputs 
will still be discovered in CV with an overwhelmingly large probability. 

2. Identified incorrect shuffling can be removed and the mix network can recover 
efficiently. 

3. Computational costs for the prover and verifier of the correctness verification 
of a server’s shuffling are n(4n — 2) and 4n^ exponentiations respectively. 

4. If at least one server is honest, all the n! permutation are equally possible 
in the mix network and if the number of malicious decrypting authorities is 
no more than t, privacy is achieved. 

This mix network is denoted as Mix-1. However there are still some drawbacks 
of this solution: 

— when two users conspire with the first server, correctness is not guaranteed; 

~ when n is large, 0{'of) exponentiations is still a high cost. 

To solve these problems, an idea of Abe[l, 2] is used: divide a PN{n) into 
a few smaller shufflings, verification of whose correctness is efficient. However, 
switching gate PN (2) is not applied in this paper to avoid complex construction 
of gate circuit. Instead, a simpler grouping technique is used. 

4.1 Group Shuffling 

On each server the n inputs are divided into groups with same size k, while re- 
encryption and random permutation are applied to each group. For simplicity. 




446 Kun Peng et al. 



suppose n = . There are 2 = groups. Usually m < u as the number of 

servers is often small. The grouping function on every server is specially designed 
according to a general rule: if an input to the mix network is likely to be permuted 
to a few outputs after the shuffling of the first j servers, any two of these outputs 
(inputs to the j + server) cannot be divided into a same group on the j + 1*^ 
server. This rule can provide the greatest diffusion, and thus as strong privacy 
as possible. 

Before the shuffling, each server SVj randomly generates vj^i G G for 
i = 1,2, ... ,n. Inputs to the mix network Ci for i = 1,2, ... ,n are sorted to 
co,i = (oo,i, bo^i) for i = 1, 2, . . . , n, so that aoy + mod p increases as i 

increases. On server SVj, the shuffling is as follows. 

1. Grouping 

— SVj get inputs Cj-\j for i = 1, 2, . . . , n from SVj-\. So far 
Oo,fc ■ ■ • ^o.k ~^w+k have been shuffled to Cj_ij^ 

Cj-i.k --^w+ 2 , .. .Cj_i_fc -i„+fe -1 for w = 0, 1, . . . , - 1. De- 
note Cj_ij^ Cj_i f^ ~^w+ 2 j • • • ^j—i,k ~^wj-k ^ shuffling range 

Rj-i^w+i, then SVj in fact receives shuffling ranges Rj-i^i, 

Rj—i 2j • • • J S,j_i f^ - +1 . 

— SVj regroups in every k successive shuffling ranges. The k inputs in the 
same position in every k successive shuffling ranges are regrouped into 
the same group. Namely, input Cj-ij is mapped to Cj^a,p, which is the 
element in Group a, where a = ((t — 1) /k^)k^~^ -I- ((t — 1) mod k^~^) + 1 
and P = {{i— 1) mod k^)/y~^ + 1. 

2. Re-encryption and permutation 

Cj,a,!3 = (aj,a,i3,bj,a,i3) is permuted to = 

, (/3)’ ^i,a,7T , (/3)) ~ ( 9 ^ ' ' 

• • bj^a.p) for a = 1,2, ... ,z and /3 = 1, 2, . . . , fc where rj^a,f 3 is randomly 

chosen and for a = 1,2, ...,z are random secret permutations from 

{1,2,. ..,A:} to{l,2,...,fc}. 

3. De-grouping 

Cjj = Sj^afi where i = k{a -1) + p. 

Shuffling of SVj is verified by SVj+i before it starts its own shuffling using 
the following equation. 

logg = logj^ (bj,a,i/bj,a,p) V logg (a',„_2/oi,a./3) = 

log;; (b'j^a,2lbj,a,f3) V . . . V logg = log;; {b'j^a,kfbj,a,f3) (5) 

for Of = 1, 2, . . . , z and P = 1,2, . . . , k 

Realization of verification of Equation (5) is denoted as GCV (grouped cor- 
rectness verification). If the verification fails, SVj+\ gets the outputs of SVj-i, 
verifies them and uses them as its inputs if they are valid. If S'Vj-i’s outputs 
are invalid too, he gets the outputs of the previous server until he finds a set of 
valid outputs as its inputs. After the shuffling of the last server, the outputs are 
decrypted as in Mix-1. This mix network applying group shuffling is denoted as 
Mix-2. 
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The following theorem can be proved in a way similar to the proof of theo- 
rem 1. 

Theorem 3. If the group shuffling by SVj is incorrect, GCV can he satisfied 
with a probability no more than 1/q without collusion of all the previous j — 1 
servers and at least two users in a same group on SVj, assuming DL problem 
is intractable. 

When conspiracy of all the previous servers and at least two malicious users 
is available, attack against correctness is more difficult than in Mix-1. As the 
grouping function is dependent on vjj for j = 1, 2, ... m and f = 1, 2, ... n, if at 
least one server is honest to generate them randomly, the grouping on any server 
is random. So if only static attack (all colluding users and servers are chosen 
before the attack starts) is considered and at least one server SVj is honest to 
choose Vjj for i = 1,2, .. .n randomly, the probability that the colluding users 
are in the same group on any server is low. For example, even if colludes 
with two users, they happen to fall in a same group with a probability 1/z. That 
means although attacks involving more than one user and the first few servers 
against correctness is still possible, they succeed with a low probability^. Like 
in Mix-1, the probability to tamper with an honest user’s input successfully is 
negligible if DL is intractable. Therefore, correctness property is improved. 

The computational cost to produce the proof is n{4k — 2) exponentiations. 
The computational cost to verify the proof is 4nfc exponentiations. Better effi- 
ciency is achieved compared to Mix-1. 

Privacy of Mix-2 is achieved if the number of malicious decrypting authorities 
is no more than t. The extent of privacy is measured by two factors: diffusion 
of any single input and diffusion of the inputs as a whole. As stated before, 
in normal applications m < u. So, if a dishonest server reveals its shuffling, it 
makes no difference to the situation where this server performs re-encryption 
without permutation. Therefore, the only impact of this attack on the privacy 
of the shuffling of the whole mix network is to degrade the mix network to a mix 
network containing one fewer servers. The shuffling of the other servers is not 
affected and can still provide strong privacy protection. 

— Diffusion of any single input: each input may be permuted to any of a set 
of k'^ outputs with an equal probability, where e is the number of honest 
servers. 

— Diffusion of the inputs as a whole: (fc!)^'’ possible permutations from the 
inputs of the mix network to its outputs are equally likely. 

If m > M, greater privacy is possible. 

— When e = u, diffusion of single input may be as great as that in Mix-1 (any 
input to n equally likely outputs). 

— When e > u, diffusion of the inputs as a whole may be as great as that in 
Mix-1 (all n! possible permutations are equally likely). 

However, it is only possible as it depends on the distribution of the honest servers. 

^ As fc is usually small, a is large when n is large. So the probability is very low when 
n is very large as in a large-scale voting. 
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4.2 Batched Group-Shuffling Mix Network 

Efficiency of correctness verification of Mix-2 is better compared to that of Mix- 
1. However it is still costly when n is large. The batch verification technique in 
Section 3.2 can be employed to improve the efficiency further. If every server 
SVj uses a same permutation tt^ to replace for a = 1, 2, . . . , z, according to 
Theorem 2 verification equation (5) can be batched as follows. 






Q:=l Q:=l 



a=l oc—1 



V iogg(n aia.2/ n = iogy(n n 



Q:=l Oc—1 



Q=1 oc—1 



■■■ y iogg( n a'y„,fc/ n = ^ogy( n n 



a=l ct—1 



a=l ct—1 



for P = 1,2, ... ,k 



where tj^a for a = 1, 2, . . . , z are random integers with length 1. The verification 
in Equation 6 for any j3 is denoted as BGCVj^jj. If BGCVj^p holds for (3 = 
1,2, ...,k, it is denoted as BGCV{j — 1 ^ j), which means the correction 
verification for SVj is passed. BGCV {j — 1 ^ j) is checked for j = 1, 2, . . . , m 
to ensure the correctness of the mix network. 

This mix network is denoted as Mix-3. 



Definition 3 In Mix-3, group shujfling by SVj is correct if for any 1 < a < z, 
the same permutation exists between \D{cj^a,p) \ for (3 = 1,2, ... ,k and |D(c' q, ^)| 
for f3 = 1,2, ... ,k where D{) denotes decryption. 

To apply equation (6), the construction of the mix network must be changed 
slightly as follows. After the shuffling of all the servers, the outputs of the mix 
network are decrypted. Every decrypted message Mi for i = 1, 2, . . . , n is checked 
to be in G by testing whether Mf = 1. If Mf yf 1, an additional computation is 
performed: Mi = —Mi = g^Mi. 



5 Analysis 

5.1 Correctness Analysis 

Correctness of Mix-3 is proved in this subsection. 

Definition 4 Inputs of SVj are divided into k vectors Vp = 

■ ■ ■ 5 Oj^z,^) for [3 — 1,2, ... ,k where Cj^a.p — (.Oj,a,p, bj,a,p^ 
{Z*Y . Outputs of SVj are divided into k vectors V^ = (c' 1 ,3, c' 2 /jj • ■ • > c' ^ 
for (3=1,2,..., k where = (o' 6 ' is in . 
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Definitions SVj{Vfi,Vl) = 1 means SVj knows Tq satisfying = 

5'' \aj,a,fi\ and |6' = y'' \bj, a, i,\ for a = 1,2, z. 



Lemma 3. If the shuffling by SVj in Mix-3 is incorrect and for every with 
1 < yt < k there exists some Vf with 1 < v < k satisfying SVj{V^, Vfl) = 1, then 
SVj knows logg — logg aj-i^a,i" for a = 1,2, ... ,z where 1 < i' < i" < k. 

Proof of Lemma 3 is very similar to that of Lemma 1, so is left to the reader. 

Lemma 4. yi G Z* for i = 1,2, . . . ,n. 1 < ti < 2^ < p for i = 1,2,. . . ,n where 
ti are random values and I is a security parameter. If there exists v, such that 
1 < V < n and the logarithm logg \yv\ is not known, then logg Y\a=i vl known 
only with a probability no more than 2~f 



Proof: First we prove a statement: if there exists v, such that 1 < z; < n and 
logg \yv\ is not known, given a definite set S = {ti \ ti < 2* and i = l,2,...v — 
1, z; + 1, . . . n}, then logg nr=i vl known for at most one 

If this statement is not correct, logg -vi •nr=v+i2/!)and 

iog,(n:=N‘ -yl ■Ut.+iyl) are known where logg |z/„| is not known and ty yf 



So logg (n:"' yl • yl • nr=v+i vi ) - log, (n:=i^ vi • yi ■ nr=.+i vi ) 



v — l t 



= logg 5 ^ ^ n — ^ yt t = _ 4) log \y^\ is known. 

11 =1 2^ -y 11 = +i!^ 

Since ty — ty is public, logg |z/„| is known. A contradiction is found, which 
means the statement is correct. So for every definite set {ti \ ti < 2^, i = 
1,2, ... , n}, the probability that ty happens to be the unique possible value, so 
that logg nr=i yl 1® known, is no more than 2~^ as there are 2^ choices for ty. 



□ 



Theorem 4. If the shuffling by SVj is incorrect according to Definition 3, 
BGCV {j — 1 ^ j) holds with a probability no more than 1 — (g — 1)(1 — 2~^)/q 
without collusion of all the previous j — 1 servers and at least 2z users with their 
re-encrypted inputs as Cj^a.p and Cj^a.s for a = 1,2, . . . , z where 1 < p < 6 < k 
if DL problem is intractable. 

Proof: The following denotations are used. 

C denotes the shuffling is correct. 

Ag denotes BGCV {j, p) holds. 

Q denotes BGCV{j — 1 ^ j) holds. 

Nlf, denotes D{cj^a^^) yf D{c'j^^ fl) ior 1 <v <k. 

N2f_, denotes D{cj^a,p) = D{c'j ,,^ fl), but SVj does not know logg |a' 
for 1 <v <k. 

As supposed, SVj cannot get collusion of all the previous j — 1 servers and at 
least 2z users with their re-encrypted inputs as Cj^a.p and Cj^a.s for a = 1, 2, . . . , z 
where 1 < p < 5 < k. So for any logg and logg aj^a,s for a = l,2,...,z 

where 1 < p < S < k, SVj knows at most 2z — 1 of them and the left one is 
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independent of these 2z — 1 values in the viewpoint of SVj if DL problem is 
intractable. According to Lemma 3, if the shuffling by server SVj is incorrect 
and DL problem is intractable, there exists a vector and no with 1 < ly < k 
can satisfy SVj{Vf,,Vl) = 1 , where vector Cj, 2 ,At, • ■ • , and 

, c'j ,. „). Otherwise, SVj knows log^ -logg ai-i,a,i" 

for a = 1 , 2 , . . . , z where 1 < i' < i” < k, which is contradictory to the fact that 
for any log^ aj^a,p and log^ aj^a,s for a = 1, 2, . . . , z where I < p < 5 < k SVj 
knows at most 2 z — 1 of them and the left one is independent of those 2 z — 1 
values in the viewpoint of SVj . 

SVj{Vf_i, Vl) yf 1 means there exists a, such that 1 < a < fc and V A^2^ 
is true. Namely, P(A^1^/C') + P{N2^/C) = 1. 

According to Theorem 2, P(£’^, A^l^) > 1 — 2“* — (1 — 2~^')jq = {q— 1)(1 — 
2-0/9. 

According to Lemma 4, when N2^ happens, logg ]/[a=i(ai,a/ai-i,a,Ai)* is 
known to SVj with a probability no more than 2~K So P{E^, E2^) > 1 — 2“* — 
(1 - 2-0/9 = (9 2-0/9. 

So, P{E^/C) = P{Nl^/C)P{E^/Nl^) + P{N2^/C)P{EJN2^) = {q - 
1 )( 1 - 2-0/9. 

Therefore, P{Q/C) = P{Ei/C) V P{E 2 /C ) ... V P{Ek/C) > P{E^/C) = 
(9-1)(1-2-0/9. 

Namely P((5/C) < 1 — (9 — 1)(1 — 2 ‘)/q. □ 

According to Theorem 4, Mix-3 can provide correctness on every server with 
an overwhelmingly large probability if DL problem is intractable and on a con- 
dition that this server cannot obtain the collusion of all the previous j — 1 servers 
and users with at least 2 inputs in each group on two same positions. This con- 
dition is much weaker than the conditions for correctness in Mix-1 and Mix-2 as 
even though collusion of 2 z or more users is available, the probability of their 
inputs are in each group on two same positions is very small if at least one server 
SVj is honest to choose Vjj for z = 1, 2, ... n randomly. Like in Mix-1 and Mix-2, 
the probability to tamper with an honest user’s input is negligible. If the shuf- 
fling on every server is correct, the plaintexts in the inputs to the mix network 
{mi, TO 2 , . . . , m„} and its plaintext outputs |Mi, M 2 , ■ ■ ■ , M„} have a relation- 
ship {mi,m 2 , . . . ,m„} = ||Mi|, IM 2 I, . . . , |M„|}. If Mf yf 1, an additional com- 
putation Mi = Mip^ is performed to obtain correct outputs. Therefore, stronger 
correctness is achieved in Mix-3 than in Mix-1 and Mix-2 as less trust on the 
users is needed in Mix-3. 

5.2 Other Properties 

Shuffling by every server can be verified publicly and efficiently and a cheating 
server can be identified immediately. Any identified cheating server is deleted 
and its inputs become inputs to the next server. So abnormal situations can be 
dealt with efficiently and the proposed scheme is robust. 

Recall that as defined in Section 1 and Section 4 there are n users and m 
servers in the mix network; the number of honest servers is e; t-out-of-m threshold 
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distributed decryption is used; k is the size of a group, z is the number of groups 
and = n. 

The computational cost for correctness proof and verification on a server 
in Mix-3 are k{4:k — 2) and 4k^ exponentiations respectively. These costs are 
independent of the number of inputs and more efficient than those in Mix-2. 





Extent of 


Diffusion of 


Diffusion of 


Is the diffusion 




Correctness 


a single input 


all the inputs 


uniform? 


Abe[l] 


not specified 


1 among if > 


! permutations if > 


No 


Abe[2] 


not specified 


1 among if > 


! permutations if > 


Yes 


Furukawa[8] 


not specified 


1 among 


! permutations 


Yes 


Neff[14] 


not specified 


1 among 


! permutations 


Yes 


Groth[10] 


not specified 


1 among 


! permutations 


Yes 


Mix-1 


( /■)<!/ 


1 among 


! permutations 


Yes 


Mix-2 


( /■)<!/ 


1 among 


( !) permutations 


Yes 


Mix-3 


1 

CJ 

1 

1 

1 

VI 


1 among 


( !) permutations 


Yes 



Table 1. Comparison of the mix networks 



Privacy of Mix-3 is achieved if the number of malicious decrypting authorities 
is no more than t. Extent of privacy in Mix-3 is as follows when m < uis assumed. 

~ Diffusion of any single input in Mix-3 is the same as that in Mix-2 (each 
input may be permuted to any of outputs with an equal probability). 

— Diffusion of the inputs as a whole in Mix-3 is weaker: possible permu- 

tation from the inputs of the mix network to its outputs are equally likely. 

So, stronger correctness and higher efficiency in Mix-3 compared to in Mix-2 is 
achieved by sacrificing some privacy. By selecting appropriate k and m, a good 
trade-off between efficiency and privacy can be achieved. When m > u, as in 
the case of Mix-2, privacy may be improved in both factors if the distribution 
of honest servers is appropriate. 

In Table 1 and Table 2, the proposed scheme is compared against the best 
mix networks in the third category (defined in Section 2). Note the following 
points 

— “not specified” in Table 1 means the probability of correctness (with how 
much a probability the mix network is correct) is not provided. 

— In [I] only t + I out of the m servers take part in the shuffling. 

— Re-encryption on each server cost 4(nlog2 n—n+1) exponentiations in [1] if 
ElGamal encryption is employed, while in other shuffling schemes this cost 
is usually 2n. That is another aspect of inefficiency in [1] . 

— In [14], it was declared that the total computational cost of proof and ver- 
ification of shuffling correctness is 8fc -|- 5. However, the shuffling scheme in 
[14] is not concrete and it is commonly believed that Neff’s scheme is not 
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so efficient as he claimed. Like Groth’s analysis in [10], in this paper it is 
concluded that Neff’s shuffling scheme costs cn exponentiations (where c is 
a small integer) and is not as efficient as [8] or [10]. 

In [1] only t + 1 out of the m servers take part in the shuffling. The final version of 
the proposed scheme, Mix-3, achieves correctness more clearly (with a concrete 
extent) than the other schemes. Suppose in the proposed scheme, the decrypting 
authorities are chosen from the shuffling servers and the decryption key is shared 
among them with a t-out-of-m threshold like in most other mix networks. Then, 
when e < t, there is no privacy in either Abe’s schemes [1, 2] or the proposed 
scheme as the inputs can be decrypted by t -I- 1 malicious servers. When e > t, 
privacy in Mix-3 is sufficient for most applications although dependent on e it 
may not achieve the maximum privacy as in [1]. The proposed scheme is more 
efficient than all the other schemes, especially when n is large. Moreover, the 
proposed scheme is simpler than Abe’s schemes as complex gate circuit is not 
employed and the achieved properties are not dependent on theorems in gate 
circuit theory. 





Correctness proof on a server 


Correctness verification on a server 


Abe[l] 


12 (n logj n — n + 1 ) 


16 (nlog 2 n — n - 1 - 1 ) 


Furukawa[ 8 ] 


8 n 


lOn 


Neff[14] 


o{n) 


o(n) 


Groth[10]“ 


6 n - 1 - Sh/k -|- 3 


6 n + Su/k + 6 


Mix-3 


fc(4fc - 2) 


iP 



K is a parameter smaller than n. 

Table 2. Comparison of computation cost in full-length exponentiations 



In Table 3, an example is given to make a clearer comparison where [g] = 
1024, n = 10000, m = 5, t = 2, fc = 10, e = 4 > t, k = 100 and SV 5 is assumed to 
be dishonest. Note that computational cost in Table 3 is in full-length exponen- 
tiations while some multiplications and short-length exponentiations are ignored 
as they are trivial compared to the costs of the full-length exponentiations . The 
results of this table clearly demonstrate enormous improvement on efficiency in 
the proposed scheme without losing strong correctness and privacy when there 
are a large number of users. In a national wide election involving millions of 
voters, the efficiency advantage of the proposed scheme is greater. 

6 Conclusion 

The proposed mix network provides strong and precise correctness and privacy. 
With the help of a grouping function and a batch verification technique, the mix 
network is very efficient. The mix network is robust and can deal with dishonest 
servers efficiently. 





A Correct, Private, and Efficient Mix Network 



453 





Extent of 
Correctness 


Diffusion of 
a single input 


Diffusion of 
all the inputs 


Cost of proof 
on a server 


Cost of server 
verification 


Abe[l] 


not specified 


1 among 10000 


10000! permutations 


1474537 


1966050 


Furukawa[8] 


not specified 


1 among 10000 


10000! permutations 


80000 


100000 


Groth[10] 


not specified 


1 among 10000 


10000! permutations 


60303 


60306 


Mix- 3 


( / ) is extremely small 


1 among 10000 


1.734 X 10^® permutations 


380 


400 



Table 3. Example for comparison 
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